Compile fix for Win64 with jit disabled.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-14  Alex Christensen  <achristensen@apple.com>
2
3         Compile fix for Win64 with jit disabled.
4         https://bugs.webkit.org/show_bug.cgi?id=119804
5
6         Reviewed by Michael Saboff.
7
8         * offlineasm/cloop.rb: Added std:: before isnan.
9
10 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
11
12         DFG_JIT implementation for sh4 architecture.
13         https://bugs.webkit.org/show_bug.cgi?id=119737
14
15         Reviewed by Oliver Hunt.
16
17         * assembler/MacroAssemblerSH4.h:
18         (JSC::MacroAssemblerSH4::invert):
19         (JSC::MacroAssemblerSH4::add32):
20         (JSC::MacroAssemblerSH4::and32):
21         (JSC::MacroAssemblerSH4::lshift32):
22         (JSC::MacroAssemblerSH4::mul32):
23         (JSC::MacroAssemblerSH4::or32):
24         (JSC::MacroAssemblerSH4::rshift32):
25         (JSC::MacroAssemblerSH4::sub32):
26         (JSC::MacroAssemblerSH4::xor32):
27         (JSC::MacroAssemblerSH4::store32):
28         (JSC::MacroAssemblerSH4::swapDouble):
29         (JSC::MacroAssemblerSH4::storeDouble):
30         (JSC::MacroAssemblerSH4::subDouble):
31         (JSC::MacroAssemblerSH4::mulDouble):
32         (JSC::MacroAssemblerSH4::divDouble):
33         (JSC::MacroAssemblerSH4::negateDouble):
34         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
35         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
36         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
37         (JSC::MacroAssemblerSH4::swap):
38         (JSC::MacroAssemblerSH4::jump):
39         (JSC::MacroAssemblerSH4::branchNeg32):
40         (JSC::MacroAssemblerSH4::branchAdd32):
41         (JSC::MacroAssemblerSH4::branchMul32):
42         (JSC::MacroAssemblerSH4::urshift32):
43         * assembler/SH4Assembler.h:
44         (JSC::SH4Assembler::SH4Assembler):
45         (JSC::SH4Assembler::labelForWatchpoint):
46         (JSC::SH4Assembler::label):
47         (JSC::SH4Assembler::debugOffset):
48         * dfg/DFGAssemblyHelpers.h:
49         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
50         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
51         (JSC::DFG::AssemblyHelpers::debugCall):
52         * dfg/DFGCCallHelpers.h:
53         (JSC::DFG::CCallHelpers::setupArguments):
54         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
55         * dfg/DFGFPRInfo.h:
56         (JSC::DFG::FPRInfo::toRegister):
57         (JSC::DFG::FPRInfo::toIndex):
58         (JSC::DFG::FPRInfo::debugName):
59         * dfg/DFGGPRInfo.h:
60         (JSC::DFG::GPRInfo::toRegister):
61         (JSC::DFG::GPRInfo::toIndex):
62         (JSC::DFG::GPRInfo::debugName):
63         * dfg/DFGOperations.cpp:
64         * dfg/DFGSpeculativeJIT.h:
65         (JSC::DFG::SpeculativeJIT::callOperation):
66         * jit/JITStubs.h:
67         * jit/JITStubsSH4.h:
68
69 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
70
71         Unreviewed, fix build.
72
73         * API/JSValue.mm:
74         (isDate):
75         (isArray):
76         * API/JSWrapperMap.mm:
77         (tryUnwrapObjcObject):
78         * API/ObjCCallbackFunction.mm:
79         (tryUnwrapBlock):
80
81 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
82
83         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
84         https://bugs.webkit.org/show_bug.cgi?id=119770
85
86         Reviewed by Mark Hahnenberg.
87
88         * API/JSCallbackConstructor.cpp:
89         (JSC::JSCallbackConstructor::finishCreation):
90         * API/JSCallbackConstructor.h:
91         (JSC::JSCallbackConstructor::createStructure):
92         * API/JSCallbackFunction.cpp:
93         (JSC::JSCallbackFunction::finishCreation):
94         * API/JSCallbackFunction.h:
95         (JSC::JSCallbackFunction::createStructure):
96         * API/JSCallbackObject.cpp:
97         (JSC::::createStructure):
98         * API/JSCallbackObject.h:
99         (JSC::JSCallbackObject::visitChildren):
100         * API/JSCallbackObjectFunctions.h:
101         (JSC::::asCallbackObject):
102         (JSC::::finishCreation):
103         * API/JSObjectRef.cpp:
104         (JSObjectGetPrivate):
105         (JSObjectSetPrivate):
106         (JSObjectGetPrivateProperty):
107         (JSObjectSetPrivateProperty):
108         (JSObjectDeletePrivateProperty):
109         * API/JSValueRef.cpp:
110         (JSValueIsObjectOfClass):
111         * API/JSWeakObjectMapRefPrivate.cpp:
112         * API/ObjCCallbackFunction.h:
113         (JSC::ObjCCallbackFunction::createStructure):
114         * JSCTypedArrayStubs.h:
115         * bytecode/CallLinkStatus.cpp:
116         (JSC::CallLinkStatus::CallLinkStatus):
117         (JSC::CallLinkStatus::function):
118         (JSC::CallLinkStatus::internalFunction):
119         * bytecode/CodeBlock.h:
120         (JSC::baselineCodeBlockForInlineCallFrame):
121         * bytecode/SpeculatedType.cpp:
122         (JSC::speculationFromClassInfo):
123         * bytecode/UnlinkedCodeBlock.cpp:
124         (JSC::UnlinkedFunctionExecutable::visitChildren):
125         (JSC::UnlinkedCodeBlock::visitChildren):
126         (JSC::UnlinkedProgramCodeBlock::visitChildren):
127         * bytecode/UnlinkedCodeBlock.h:
128         (JSC::UnlinkedFunctionExecutable::createStructure):
129         (JSC::UnlinkedProgramCodeBlock::createStructure):
130         (JSC::UnlinkedEvalCodeBlock::createStructure):
131         (JSC::UnlinkedFunctionCodeBlock::createStructure):
132         * debugger/Debugger.cpp:
133         * debugger/DebuggerActivation.cpp:
134         (JSC::DebuggerActivation::visitChildren):
135         * debugger/DebuggerActivation.h:
136         (JSC::DebuggerActivation::createStructure):
137         * debugger/DebuggerCallFrame.cpp:
138         (JSC::DebuggerCallFrame::functionName):
139         * dfg/DFGAbstractInterpreterInlines.h:
140         (JSC::DFG::::executeEffects):
141         * dfg/DFGByteCodeParser.cpp:
142         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
143         (JSC::DFG::ByteCodeParser::parseBlock):
144         * dfg/DFGFixupPhase.cpp:
145         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
146         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
147         * dfg/DFGGraph.cpp:
148         (JSC::DFG::Graph::dump):
149         * dfg/DFGGraph.h:
150         (JSC::DFG::Graph::isInternalFunctionConstant):
151         * dfg/DFGOperations.cpp:
152         * dfg/DFGSpeculativeJIT.cpp:
153         (JSC::DFG::SpeculativeJIT::checkArray):
154         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
155         * dfg/DFGThunks.cpp:
156         (JSC::DFG::virtualForThunkGenerator):
157         * interpreter/Interpreter.cpp:
158         (JSC::loadVarargs):
159         * jsc.cpp:
160         (GlobalObject::createStructure):
161         * profiler/LegacyProfiler.cpp:
162         (JSC::LegacyProfiler::createCallIdentifier):
163         * runtime/Arguments.cpp:
164         (JSC::Arguments::visitChildren):
165         * runtime/Arguments.h:
166         (JSC::Arguments::createStructure):
167         (JSC::asArguments):
168         (JSC::Arguments::finishCreation):
169         * runtime/ArrayConstructor.cpp:
170         (JSC::arrayConstructorIsArray):
171         * runtime/ArrayConstructor.h:
172         (JSC::ArrayConstructor::createStructure):
173         * runtime/ArrayPrototype.cpp:
174         (JSC::ArrayPrototype::finishCreation):
175         (JSC::arrayProtoFuncConcat):
176         (JSC::attemptFastSort):
177         * runtime/ArrayPrototype.h:
178         (JSC::ArrayPrototype::createStructure):
179         * runtime/BooleanConstructor.h:
180         (JSC::BooleanConstructor::createStructure):
181         * runtime/BooleanObject.cpp:
182         (JSC::BooleanObject::finishCreation):
183         * runtime/BooleanObject.h:
184         (JSC::BooleanObject::createStructure):
185         (JSC::asBooleanObject):
186         * runtime/BooleanPrototype.cpp:
187         (JSC::BooleanPrototype::finishCreation):
188         (JSC::booleanProtoFuncToString):
189         (JSC::booleanProtoFuncValueOf):
190         * runtime/BooleanPrototype.h:
191         (JSC::BooleanPrototype::createStructure):
192         * runtime/DateConstructor.cpp:
193         (JSC::constructDate):
194         * runtime/DateConstructor.h:
195         (JSC::DateConstructor::createStructure):
196         * runtime/DateInstance.cpp:
197         (JSC::DateInstance::finishCreation):
198         * runtime/DateInstance.h:
199         (JSC::DateInstance::createStructure):
200         (JSC::asDateInstance):
201         * runtime/DatePrototype.cpp:
202         (JSC::formateDateInstance):
203         (JSC::DatePrototype::finishCreation):
204         (JSC::dateProtoFuncToISOString):
205         (JSC::dateProtoFuncToLocaleString):
206         (JSC::dateProtoFuncToLocaleDateString):
207         (JSC::dateProtoFuncToLocaleTimeString):
208         (JSC::dateProtoFuncGetTime):
209         (JSC::dateProtoFuncGetFullYear):
210         (JSC::dateProtoFuncGetUTCFullYear):
211         (JSC::dateProtoFuncGetMonth):
212         (JSC::dateProtoFuncGetUTCMonth):
213         (JSC::dateProtoFuncGetDate):
214         (JSC::dateProtoFuncGetUTCDate):
215         (JSC::dateProtoFuncGetDay):
216         (JSC::dateProtoFuncGetUTCDay):
217         (JSC::dateProtoFuncGetHours):
218         (JSC::dateProtoFuncGetUTCHours):
219         (JSC::dateProtoFuncGetMinutes):
220         (JSC::dateProtoFuncGetUTCMinutes):
221         (JSC::dateProtoFuncGetSeconds):
222         (JSC::dateProtoFuncGetUTCSeconds):
223         (JSC::dateProtoFuncGetMilliSeconds):
224         (JSC::dateProtoFuncGetUTCMilliseconds):
225         (JSC::dateProtoFuncGetTimezoneOffset):
226         (JSC::dateProtoFuncSetTime):
227         (JSC::setNewValueFromTimeArgs):
228         (JSC::setNewValueFromDateArgs):
229         (JSC::dateProtoFuncSetYear):
230         (JSC::dateProtoFuncGetYear):
231         * runtime/DatePrototype.h:
232         (JSC::DatePrototype::createStructure):
233         * runtime/Error.h:
234         (JSC::StrictModeTypeErrorFunction::createStructure):
235         * runtime/ErrorConstructor.h:
236         (JSC::ErrorConstructor::createStructure):
237         * runtime/ErrorInstance.cpp:
238         (JSC::ErrorInstance::finishCreation):
239         * runtime/ErrorInstance.h:
240         (JSC::ErrorInstance::createStructure):
241         * runtime/ErrorPrototype.cpp:
242         (JSC::ErrorPrototype::finishCreation):
243         * runtime/ErrorPrototype.h:
244         (JSC::ErrorPrototype::createStructure):
245         * runtime/ExceptionHelpers.cpp:
246         (JSC::isTerminatedExecutionException):
247         * runtime/ExceptionHelpers.h:
248         (JSC::TerminatedExecutionError::createStructure):
249         * runtime/Executable.cpp:
250         (JSC::EvalExecutable::visitChildren):
251         (JSC::ProgramExecutable::visitChildren):
252         (JSC::FunctionExecutable::visitChildren):
253         (JSC::ExecutableBase::hashFor):
254         * runtime/Executable.h:
255         (JSC::ExecutableBase::createStructure):
256         (JSC::NativeExecutable::createStructure):
257         (JSC::EvalExecutable::createStructure):
258         (JSC::ProgramExecutable::createStructure):
259         (JSC::FunctionExecutable::compileFor):
260         (JSC::FunctionExecutable::compileOptimizedFor):
261         (JSC::FunctionExecutable::createStructure):
262         * runtime/FunctionConstructor.h:
263         (JSC::FunctionConstructor::createStructure):
264         * runtime/FunctionPrototype.cpp:
265         (JSC::functionProtoFuncToString):
266         (JSC::functionProtoFuncApply):
267         (JSC::functionProtoFuncBind):
268         * runtime/FunctionPrototype.h:
269         (JSC::FunctionPrototype::createStructure):
270         * runtime/GetterSetter.cpp:
271         (JSC::GetterSetter::visitChildren):
272         * runtime/GetterSetter.h:
273         (JSC::GetterSetter::createStructure):
274         * runtime/InternalFunction.cpp:
275         (JSC::InternalFunction::finishCreation):
276         * runtime/InternalFunction.h:
277         (JSC::InternalFunction::createStructure):
278         (JSC::asInternalFunction):
279         * runtime/JSAPIValueWrapper.h:
280         (JSC::JSAPIValueWrapper::createStructure):
281         * runtime/JSActivation.cpp:
282         (JSC::JSActivation::visitChildren):
283         (JSC::JSActivation::argumentsGetter):
284         * runtime/JSActivation.h:
285         (JSC::JSActivation::createStructure):
286         (JSC::asActivation):
287         * runtime/JSArray.h:
288         (JSC::JSArray::createStructure):
289         (JSC::asArray):
290         (JSC::isJSArray):
291         * runtime/JSBoundFunction.cpp:
292         (JSC::JSBoundFunction::finishCreation):
293         (JSC::JSBoundFunction::visitChildren):
294         * runtime/JSBoundFunction.h:
295         (JSC::JSBoundFunction::createStructure):
296         * runtime/JSCJSValue.cpp:
297         (JSC::JSValue::dumpInContext):
298         * runtime/JSCJSValueInlines.h:
299         (JSC::JSValue::isFunction):
300         * runtime/JSCell.h:
301         (JSC::jsCast):
302         (JSC::jsDynamicCast):
303         * runtime/JSCellInlines.h:
304         (JSC::allocateCell):
305         * runtime/JSFunction.cpp:
306         (JSC::JSFunction::finishCreation):
307         (JSC::JSFunction::visitChildren):
308         (JSC::skipOverBoundFunctions):
309         (JSC::JSFunction::callerGetter):
310         * runtime/JSFunction.h:
311         (JSC::JSFunction::createStructure):
312         * runtime/JSGlobalObject.cpp:
313         (JSC::JSGlobalObject::visitChildren):
314         (JSC::slowValidateCell):
315         * runtime/JSGlobalObject.h:
316         (JSC::JSGlobalObject::createStructure):
317         * runtime/JSNameScope.cpp:
318         (JSC::JSNameScope::visitChildren):
319         * runtime/JSNameScope.h:
320         (JSC::JSNameScope::createStructure):
321         * runtime/JSNotAnObject.h:
322         (JSC::JSNotAnObject::createStructure):
323         * runtime/JSONObject.cpp:
324         (JSC::JSONObject::finishCreation):
325         (JSC::unwrapBoxedPrimitive):
326         (JSC::Stringifier::Stringifier):
327         (JSC::Stringifier::appendStringifiedValue):
328         (JSC::Stringifier::Holder::Holder):
329         (JSC::Walker::walk):
330         (JSC::JSONProtoFuncStringify):
331         * runtime/JSONObject.h:
332         (JSC::JSONObject::createStructure):
333         * runtime/JSObject.cpp:
334         (JSC::getCallableObjectSlow):
335         (JSC::JSObject::visitChildren):
336         (JSC::JSObject::copyBackingStore):
337         (JSC::JSFinalObject::visitChildren):
338         (JSC::JSObject::ensureInt32Slow):
339         (JSC::JSObject::ensureDoubleSlow):
340         (JSC::JSObject::ensureContiguousSlow):
341         (JSC::JSObject::ensureArrayStorageSlow):
342         * runtime/JSObject.h:
343         (JSC::JSObject::finishCreation):
344         (JSC::JSObject::createStructure):
345         (JSC::JSNonFinalObject::createStructure):
346         (JSC::JSFinalObject::createStructure):
347         (JSC::isJSFinalObject):
348         * runtime/JSPropertyNameIterator.cpp:
349         (JSC::JSPropertyNameIterator::visitChildren):
350         * runtime/JSPropertyNameIterator.h:
351         (JSC::JSPropertyNameIterator::createStructure):
352         * runtime/JSProxy.cpp:
353         (JSC::JSProxy::visitChildren):
354         * runtime/JSProxy.h:
355         (JSC::JSProxy::createStructure):
356         * runtime/JSScope.cpp:
357         (JSC::JSScope::visitChildren):
358         * runtime/JSSegmentedVariableObject.cpp:
359         (JSC::JSSegmentedVariableObject::visitChildren):
360         * runtime/JSString.h:
361         (JSC::JSString::createStructure):
362         (JSC::isJSString):
363         * runtime/JSSymbolTableObject.cpp:
364         (JSC::JSSymbolTableObject::visitChildren):
365         * runtime/JSVariableObject.h:
366         * runtime/JSWithScope.cpp:
367         (JSC::JSWithScope::visitChildren):
368         * runtime/JSWithScope.h:
369         (JSC::JSWithScope::createStructure):
370         * runtime/JSWrapperObject.cpp:
371         (JSC::JSWrapperObject::visitChildren):
372         * runtime/JSWrapperObject.h:
373         (JSC::JSWrapperObject::createStructure):
374         * runtime/MathObject.cpp:
375         (JSC::MathObject::finishCreation):
376         * runtime/MathObject.h:
377         (JSC::MathObject::createStructure):
378         * runtime/NameConstructor.h:
379         (JSC::NameConstructor::createStructure):
380         * runtime/NameInstance.h:
381         (JSC::NameInstance::createStructure):
382         (JSC::NameInstance::finishCreation):
383         * runtime/NamePrototype.cpp:
384         (JSC::NamePrototype::finishCreation):
385         (JSC::privateNameProtoFuncToString):
386         * runtime/NamePrototype.h:
387         (JSC::NamePrototype::createStructure):
388         * runtime/NativeErrorConstructor.cpp:
389         (JSC::NativeErrorConstructor::visitChildren):
390         * runtime/NativeErrorConstructor.h:
391         (JSC::NativeErrorConstructor::createStructure):
392         (JSC::NativeErrorConstructor::finishCreation):
393         * runtime/NumberConstructor.cpp:
394         (JSC::NumberConstructor::finishCreation):
395         * runtime/NumberConstructor.h:
396         (JSC::NumberConstructor::createStructure):
397         * runtime/NumberObject.cpp:
398         (JSC::NumberObject::finishCreation):
399         * runtime/NumberObject.h:
400         (JSC::NumberObject::createStructure):
401         * runtime/NumberPrototype.cpp:
402         (JSC::NumberPrototype::finishCreation):
403         * runtime/NumberPrototype.h:
404         (JSC::NumberPrototype::createStructure):
405         * runtime/ObjectConstructor.h:
406         (JSC::ObjectConstructor::createStructure):
407         * runtime/ObjectPrototype.cpp:
408         (JSC::ObjectPrototype::finishCreation):
409         * runtime/ObjectPrototype.h:
410         (JSC::ObjectPrototype::createStructure):
411         * runtime/PropertyMapHashTable.h:
412         (JSC::PropertyTable::createStructure):
413         * runtime/PropertyTable.cpp:
414         (JSC::PropertyTable::visitChildren):
415         * runtime/RegExp.h:
416         (JSC::RegExp::createStructure):
417         * runtime/RegExpConstructor.cpp:
418         (JSC::RegExpConstructor::finishCreation):
419         (JSC::RegExpConstructor::visitChildren):
420         (JSC::constructRegExp):
421         * runtime/RegExpConstructor.h:
422         (JSC::RegExpConstructor::createStructure):
423         (JSC::asRegExpConstructor):
424         * runtime/RegExpMatchesArray.cpp:
425         (JSC::RegExpMatchesArray::visitChildren):
426         * runtime/RegExpMatchesArray.h:
427         (JSC::RegExpMatchesArray::createStructure):
428         * runtime/RegExpObject.cpp:
429         (JSC::RegExpObject::finishCreation):
430         (JSC::RegExpObject::visitChildren):
431         * runtime/RegExpObject.h:
432         (JSC::RegExpObject::createStructure):
433         (JSC::asRegExpObject):
434         * runtime/RegExpPrototype.cpp:
435         (JSC::regExpProtoFuncTest):
436         (JSC::regExpProtoFuncExec):
437         (JSC::regExpProtoFuncCompile):
438         (JSC::regExpProtoFuncToString):
439         * runtime/RegExpPrototype.h:
440         (JSC::RegExpPrototype::createStructure):
441         * runtime/SparseArrayValueMap.cpp:
442         (JSC::SparseArrayValueMap::createStructure):
443         * runtime/SparseArrayValueMap.h:
444         * runtime/StrictEvalActivation.h:
445         (JSC::StrictEvalActivation::createStructure):
446         * runtime/StringConstructor.h:
447         (JSC::StringConstructor::createStructure):
448         * runtime/StringObject.cpp:
449         (JSC::StringObject::finishCreation):
450         * runtime/StringObject.h:
451         (JSC::StringObject::createStructure):
452         (JSC::asStringObject):
453         * runtime/StringPrototype.cpp:
454         (JSC::StringPrototype::finishCreation):
455         (JSC::stringProtoFuncReplace):
456         (JSC::stringProtoFuncToString):
457         (JSC::stringProtoFuncMatch):
458         (JSC::stringProtoFuncSearch):
459         (JSC::stringProtoFuncSplit):
460         * runtime/StringPrototype.h:
461         (JSC::StringPrototype::createStructure):
462         * runtime/Structure.cpp:
463         (JSC::Structure::Structure):
464         (JSC::Structure::materializePropertyMap):
465         (JSC::Structure::get):
466         (JSC::Structure::visitChildren):
467         * runtime/Structure.h:
468         (JSC::Structure::typeInfo):
469         (JSC::Structure::previousID):
470         (JSC::Structure::outOfLineSize):
471         (JSC::Structure::totalStorageCapacity):
472         (JSC::Structure::materializePropertyMapIfNecessary):
473         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
474         * runtime/StructureChain.cpp:
475         (JSC::StructureChain::visitChildren):
476         * runtime/StructureChain.h:
477         (JSC::StructureChain::createStructure):
478         * runtime/StructureInlines.h:
479         (JSC::Structure::get):
480         * runtime/StructureRareData.cpp:
481         (JSC::StructureRareData::createStructure):
482         (JSC::StructureRareData::visitChildren):
483         * runtime/StructureRareData.h:
484         * runtime/SymbolTable.h:
485         (JSC::SharedSymbolTable::createStructure):
486         * runtime/VM.cpp:
487         (JSC::VM::VM):
488         (JSC::StackPreservingRecompiler::operator()):
489         (JSC::VM::releaseExecutableMemory):
490         * runtime/WriteBarrier.h:
491         (JSC::validateCell):
492         * testRegExp.cpp:
493         (GlobalObject::createStructure):
494
495 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
496
497         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
498         https://bugs.webkit.org/show_bug.cgi?id=119762
499
500         Reviewed by Geoffrey Garen.
501
502         * heap/Heap.cpp:
503         (JSC::Heap::Heap):
504         (JSC::Heap::markRoots):
505         (JSC::Heap::collect):
506         * jsc.cpp:
507         (StopWatch::start):
508         (StopWatch::stop):
509         * testRegExp.cpp:
510         (StopWatch::start):
511         (StopWatch::stop):
512
513 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
514
515         [sh4] Prepare LLINT for DFG_JIT implementation.
516         https://bugs.webkit.org/show_bug.cgi?id=119755
517
518         Reviewed by Oliver Hunt.
519
520         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
521         * offlineasm/sh4.rb:
522             - Handle storeb opcode.
523             - Make relative jumps when possible using braf opcode.
524             - Update bmulio implementation to be consistent with baseline JIT.
525             - Remove useless code from leap opcode.
526             - Fix incorrect comment.
527
528 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
529
530         [sh4] Prepare baseline JIT for DFG_JIT implementation.
531         https://bugs.webkit.org/show_bug.cgi?id=119758
532
533         Reviewed by Oliver Hunt.
534
535         * assembler/MacroAssemblerSH4.h:
536             - Introduce a loadEffectiveAddress function to avoid code duplication.
537             - Add ASSERTs and clean code.
538         * assembler/SH4Assembler.h:
539             - Prepare DFG_JIT implementation.
540             - Add ASSERTs.
541         * jit/JITStubs.cpp:
542             - Add SH4 specific call for assertions.
543         * jit/JITStubs.h:
544             - Cosmetic change.
545         * jit/JITStubsSH4.h:
546             - Use constants to be more flexible with sh4 JIT stack frame.
547         * jit/JSInterfaceJIT.h:
548             - Cosmetic change.
549
550 2013-08-13  Oliver Hunt  <oliver@apple.com>
551
552         Harden executeConstruct against incorrect return types from host functions
553         https://bugs.webkit.org/show_bug.cgi?id=119757
554
555         Reviewed by Mark Hahnenberg.
556
557         Add logic to guard against bogus return types.  There doesn't seem to be any
558         class in webkit that does this wrong, but the typed array stubs in debug JSC
559         do exhibit this bad behaviour.
560
561         * interpreter/Interpreter.cpp:
562         (JSC::Interpreter::executeConstruct):
563
564 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
565
566         [Qt] Fix C++11 build with gcc 4.4 and 4.5
567         https://bugs.webkit.org/show_bug.cgi?id=119736
568
569         Reviewed by Anders Carlsson.
570
571         Don't force C++11 mode off anymore.
572
573         * Target.pri:
574
575 2013-08-12  Oliver Hunt  <oliver@apple.com>
576
577         Remove CodeBlock's notion of adding identifiers entirely
578         https://bugs.webkit.org/show_bug.cgi?id=119708
579
580         Reviewed by Geoffrey Garen.
581
582         Remove addAdditionalIdentifier entirely, including the bogus assertion.
583         Move the addition of identifiers to DFGPlan::reallyAdd
584
585         * bytecode/CodeBlock.h:
586         * dfg/DFGDesiredIdentifiers.cpp:
587         (JSC::DFG::DesiredIdentifiers::reallyAdd):
588         * dfg/DFGDesiredIdentifiers.h:
589         * dfg/DFGPlan.cpp:
590         (JSC::DFG::Plan::reallyAdd):
591         (JSC::DFG::Plan::finalize):
592         * dfg/DFGPlan.h:
593
594 2013-08-12  Oliver Hunt  <oliver@apple.com>
595
596         Build fix
597
598         * runtime/JSCell.h:
599
600 2013-08-12  Oliver Hunt  <oliver@apple.com>
601
602         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
603         https://bugs.webkit.org/show_bug.cgi?id=119705
604
605         Reviewed by Geoffrey Garen.
606
607         Relatively trivial refactoring
608
609         * bytecode/CodeBlock.h:
610         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
611         (JSC::CodeBlock::addAdditionalIdentifier):
612         (JSC::CodeBlock::identifier):
613         (JSC::CodeBlock::numberOfIdentifiers):
614         * dfg/DFGCommonData.h:
615
616 2013-08-12  Oliver Hunt  <oliver@apple.com>
617
618         Stop making unnecessary copy of CodeBlock Identifier Vector
619         https://bugs.webkit.org/show_bug.cgi?id=119702
620
621         Reviewed by Michael Saboff.
622
623         Make CodeBlock simply use a separate Vector for additional Identifiers
624         and use the UnlinkedCodeBlock for the initial set of identifiers.
625
626         * bytecode/CodeBlock.cpp:
627         (JSC::CodeBlock::printGetByIdOp):
628         (JSC::dumpStructure):
629         (JSC::dumpChain):
630         (JSC::CodeBlock::printGetByIdCacheStatus):
631         (JSC::CodeBlock::printPutByIdOp):
632         (JSC::CodeBlock::dumpBytecode):
633         (JSC::CodeBlock::CodeBlock):
634         (JSC::CodeBlock::shrinkToFit):
635         * bytecode/CodeBlock.h:
636         (JSC::CodeBlock::numberOfIdentifiers):
637         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
638         (JSC::CodeBlock::addAdditionalIdentifier):
639         (JSC::CodeBlock::identifier):
640         * dfg/DFGDesiredIdentifiers.cpp:
641         (JSC::DFG::DesiredIdentifiers::reallyAdd):
642         * jit/JIT.h:
643         * jit/JITOpcodes.cpp:
644         (JSC::JIT::emitSlow_op_get_arguments_length):
645         * jit/JITPropertyAccess.cpp:
646         (JSC::JIT::emit_op_get_by_id):
647         (JSC::JIT::compileGetByIdHotPath):
648         (JSC::JIT::emitSlow_op_get_by_id):
649         (JSC::JIT::compileGetByIdSlowCase):
650         (JSC::JIT::emitSlow_op_put_by_id):
651         * jit/JITPropertyAccess32_64.cpp:
652         (JSC::JIT::emit_op_get_by_id):
653         (JSC::JIT::compileGetByIdHotPath):
654         (JSC::JIT::compileGetByIdSlowCase):
655         * jit/JITStubs.cpp:
656         (JSC::DEFINE_STUB_FUNCTION):
657         * llint/LLIntSlowPaths.cpp:
658         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
659
660 2013-08-08  Mark Lam  <mark.lam@apple.com>
661
662         Restoring use of StackIterator instead of Interpreter::getStacktrace().
663         https://bugs.webkit.org/show_bug.cgi?id=119575.
664
665         Reviewed by Oliver Hunt.
666
667         * interpreter/Interpreter.h:
668         - Made getStackTrace() private.
669         * interpreter/StackIterator.cpp:
670         (JSC::StackIterator::StackIterator):
671         (JSC::StackIterator::numberOfFrames):
672         - Computes the number of frames by iterating through the whole stack
673           from the starting frame. The iterator will save its current frame
674           position before counting the frames, and then restoring it after
675           the counting.
676         (JSC::StackIterator::gotoFrameAtIndex):
677         (JSC::StackIterator::gotoNextFrame):
678         (JSC::StackIterator::resetIterator):
679         - Points the iterator to the starting frame.
680         * interpreter/StackIteratorPrivate.h:
681
682 2013-08-08  Mark Lam  <mark.lam@apple.com>
683
684         Moved ErrorConstructor and NativeErrorConstructor helper functions into
685         the Interpreter class.
686         https://bugs.webkit.org/show_bug.cgi?id=119576.
687
688         Reviewed by Oliver Hunt.
689
690         This change is needed to prepare for making Interpreter::getStackTrace()
691         private. It does not change the behavior of the code, only the lexical
692         scoping.
693
694         * interpreter/Interpreter.h:
695         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
696         * runtime/ErrorConstructor.cpp:
697         (JSC::Interpreter::constructWithErrorConstructor):
698         (JSC::ErrorConstructor::getConstructData):
699         (JSC::Interpreter::callErrorConstructor):
700         (JSC::ErrorConstructor::getCallData):
701         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
702           directly. So, we moved the helper functions into the Interpreter
703           class.
704         * runtime/NativeErrorConstructor.cpp:
705         (JSC::Interpreter::constructWithNativeErrorConstructor):
706         (JSC::NativeErrorConstructor::getConstructData):
707         (JSC::Interpreter::callNativeErrorConstructor):
708         (JSC::NativeErrorConstructor::getCallData):
709         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
710           directly. So, we moved the helper functions into the Interpreter
711           class.
712
713 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
714
715         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
716         https://bugs.webkit.org/show_bug.cgi?id=119555
717
718         Reviewed by Geoffrey Garen.
719
720         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
721         This was causing crashes on maps.google.com in 32-bit debug builds.
722
723         * dfg/DFGSpeculativeJIT32_64.cpp:
724         (JSC::DFG::SpeculativeJIT::compile):
725
726 2013-08-06  Michael Saboff  <msaboff@apple.com>
727
728         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
729         https://bugs.webkit.org/show_bug.cgi?id=119405
730
731         Reviewed by Geoffrey Garen.
732
733         * dfg/DFGSpeculativeJIT.cpp:
734         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
735         ourselves to save a register and then load from it.
736
737 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
738
739         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
740         https://bugs.webkit.org/show_bug.cgi?id=119528
741
742         Reviewed by Geoffrey Garen.
743
744         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
745         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
746         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
747         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
748         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
749
750         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
751
752         * bytecode/CodeBlock.cpp:
753         (JSC::CodeBlock::finalizeUnconditionally):
754         * dfg/DFGDriver.cpp:
755         (JSC::DFG::compile):
756         * dfg/DFGFixupPhase.cpp:
757         (JSC::DFG::FixupPhase::fixupNode):
758         * dfg/DFGGraph.cpp:
759         (JSC::DFG::Graph::dump):
760         * dfg/DFGSpeculativeJIT64.cpp:
761         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
762         * runtime/JSObject.h:
763         (JSC::JSObject::getIndexQuickly):
764         (JSC::JSObject::tryGetIndexQuickly):
765
766 2013-08-08  Stephanie Lewis  <slewis@apple.com>
767
768         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
769
770         Unreviewed.
771
772         Ensure llint symbols are in source order.
773
774         * JavaScriptCore.order:
775
776 2013-08-06  Mark Lam  <mark.lam@apple.com>
777
778         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
779         https://bugs.webkit.org/show_bug.cgi?id=119532.
780
781         Reviewed by Oliver Hunt.
782
783         * parser/Parser.cpp:
784         (JSC::::Parser):
785         - Just need to initialize the Parser's JSTokenLocation's initial line and
786           startOffset as well during Parser construction.
787
788 2013-08-06  Stephanie Lewis  <slewis@apple.com>
789
790         Update Order Files for Safari
791         <rdar://problem/14517392>
792
793         Unreviewed.
794
795         * JavaScriptCore.order:
796
797 2013-08-04  Sam Weinig  <sam@webkit.org>
798
799         Remove support for HTML5 MicroData
800         https://bugs.webkit.org/show_bug.cgi?id=119480
801
802         Reviewed by Anders Carlsson.
803
804         * Configurations/FeatureDefines.xcconfig:
805
806 2013-08-05  Oliver Hunt  <oliver@apple.com>
807
808         Delay Arguments creation in strict mode
809         https://bugs.webkit.org/show_bug.cgi?id=119505
810
811         Reviewed by Geoffrey Garen.
812
813         Make use of the write tracking performed by the parser to
814         allow us to know if we're modifying the parameters to a function.
815         Then use that information to make strict mode function opt out
816         of eager arguments creation.
817
818         * bytecompiler/BytecodeGenerator.cpp:
819         (JSC::BytecodeGenerator::BytecodeGenerator):
820         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
821         (JSC::BytecodeGenerator::emitReturn):
822         * bytecompiler/BytecodeGenerator.h:
823         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
824         * parser/Nodes.h:
825         (JSC::ScopeNode::modifiesParameter):
826         * parser/Parser.cpp:
827         (JSC::::parseInner):
828         * parser/Parser.h:
829         (JSC::Scope::declareParameter):
830         (JSC::Scope::getCapturedVariables):
831         (JSC::Parser::declareWrite):
832         * parser/ParserModes.h:
833
834 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
835
836         Remove useless code from COMPILER(RVCT) JITStubs
837         https://bugs.webkit.org/show_bug.cgi?id=119521
838
839         Reviewed by Geoffrey Garen.
840
841         * jit/JITStubsARMv7.h:
842         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
843         (JSC::ctiOpThrowNotCaught): Ditto.
844
845 2013-07-23  David Farler  <dfarler@apple.com>
846
847         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
848         https://bugs.webkit.org/show_bug.cgi?id=117762
849
850         Reviewed by Mark Rowe.
851
852         * Configurations/DebugRelease.xcconfig:
853         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
854         * Configurations/JavaScriptCore.xcconfig:
855         Add ASAN_OTHER_LDFLAGS.
856         * Configurations/ToolExecutable.xcconfig:
857         Don't use ASAN for build tools.
858
859 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
860
861         Build fix for ARM MSVC after r153222 and r153648.
862
863         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
864
865 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
866
867         Build fix for ARM MSVC after r150109.
868
869         Read the stub template from a header files instead of the JITStubs.cpp.
870
871         * CMakeLists.txt:
872         * DerivedSources.pri:
873         * create_jit_stubs:
874
875 2013-08-05  Oliver Hunt  <oliver@apple.com>
876
877         Move TypedArray implementation into JSC
878         https://bugs.webkit.org/show_bug.cgi?id=119489
879
880         Reviewed by Filip Pizlo.
881
882         Move TypedArray implementation into JSC in advance of re-implementation
883
884         * GNUmakefile.list.am:
885         * JSCTypedArrayStubs.h:
886         * JavaScriptCore.xcodeproj/project.pbxproj:
887         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
888         (JSC::ArrayBuffer::transfer):
889         (JSC::ArrayBuffer::addView):
890         (JSC::ArrayBuffer::removeView):
891         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
892         (JSC::ArrayBufferContents::ArrayBufferContents):
893         (JSC::ArrayBufferContents::data):
894         (JSC::ArrayBufferContents::sizeInBytes):
895         (JSC::ArrayBufferContents::transfer):
896         (JSC::ArrayBufferContents::copyTo):
897         (JSC::ArrayBuffer::isNeutered):
898         (JSC::ArrayBuffer::~ArrayBuffer):
899         (JSC::ArrayBuffer::clampValue):
900         (JSC::ArrayBuffer::create):
901         (JSC::ArrayBuffer::createUninitialized):
902         (JSC::ArrayBuffer::ArrayBuffer):
903         (JSC::ArrayBuffer::data):
904         (JSC::ArrayBuffer::byteLength):
905         (JSC::ArrayBuffer::slice):
906         (JSC::ArrayBuffer::sliceImpl):
907         (JSC::ArrayBuffer::clampIndex):
908         (JSC::ArrayBufferContents::tryAllocate):
909         (JSC::ArrayBufferContents::~ArrayBufferContents):
910         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
911         (JSC::ArrayBufferView::ArrayBufferView):
912         (JSC::ArrayBufferView::~ArrayBufferView):
913         (JSC::ArrayBufferView::neuter):
914         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
915         (JSC::ArrayBufferView::buffer):
916         (JSC::ArrayBufferView::baseAddress):
917         (JSC::ArrayBufferView::byteOffset):
918         (JSC::ArrayBufferView::setNeuterable):
919         (JSC::ArrayBufferView::isNeuterable):
920         (JSC::ArrayBufferView::verifySubRange):
921         (JSC::ArrayBufferView::clampOffsetAndNumElements):
922         (JSC::ArrayBufferView::setImpl):
923         (JSC::ArrayBufferView::setRangeImpl):
924         (JSC::ArrayBufferView::zeroRangeImpl):
925         (JSC::ArrayBufferView::calculateOffsetAndLength):
926         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
927         (JSC::Float32Array::set):
928         (JSC::Float32Array::getType):
929         (JSC::Float32Array::create):
930         (JSC::Float32Array::createUninitialized):
931         (JSC::Float32Array::Float32Array):
932         (JSC::Float32Array::subarray):
933         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
934         (JSC::Float64Array::set):
935         (JSC::Float64Array::getType):
936         (JSC::Float64Array::create):
937         (JSC::Float64Array::createUninitialized):
938         (JSC::Float64Array::Float64Array):
939         (JSC::Float64Array::subarray):
940         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
941         (JSC::Int16Array::getType):
942         (JSC::Int16Array::create):
943         (JSC::Int16Array::createUninitialized):
944         (JSC::Int16Array::Int16Array):
945         (JSC::Int16Array::subarray):
946         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
947         (JSC::Int32Array::getType):
948         (JSC::Int32Array::create):
949         (JSC::Int32Array::createUninitialized):
950         (JSC::Int32Array::Int32Array):
951         (JSC::Int32Array::subarray):
952         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
953         (JSC::Int8Array::getType):
954         (JSC::Int8Array::create):
955         (JSC::Int8Array::createUninitialized):
956         (JSC::Int8Array::Int8Array):
957         (JSC::Int8Array::subarray):
958         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
959         (JSC::IntegralTypedArrayBase::set):
960         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
961         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
962         (JSC::TypedArrayBase::data):
963         (JSC::TypedArrayBase::set):
964         (JSC::TypedArrayBase::setRange):
965         (JSC::TypedArrayBase::zeroRange):
966         (JSC::TypedArrayBase::length):
967         (JSC::TypedArrayBase::byteLength):
968         (JSC::TypedArrayBase::item):
969         (JSC::TypedArrayBase::checkInboundData):
970         (JSC::TypedArrayBase::TypedArrayBase):
971         (JSC::TypedArrayBase::create):
972         (JSC::TypedArrayBase::createUninitialized):
973         (JSC::TypedArrayBase::subarrayImpl):
974         (JSC::TypedArrayBase::neuter):
975         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
976         (JSC::Uint16Array::getType):
977         (JSC::Uint16Array::create):
978         (JSC::Uint16Array::createUninitialized):
979         (JSC::Uint16Array::Uint16Array):
980         (JSC::Uint16Array::subarray):
981         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
982         (JSC::Uint32Array::getType):
983         (JSC::Uint32Array::create):
984         (JSC::Uint32Array::createUninitialized):
985         (JSC::Uint32Array::Uint32Array):
986         (JSC::Uint32Array::subarray):
987         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
988         (JSC::Uint8Array::getType):
989         (JSC::Uint8Array::create):
990         (JSC::Uint8Array::createUninitialized):
991         (JSC::Uint8Array::Uint8Array):
992         (JSC::Uint8Array::subarray):
993         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
994         (JSC::Uint8ClampedArray::getType):
995         (JSC::Uint8ClampedArray::create):
996         (JSC::Uint8ClampedArray::createUninitialized):
997         (JSC::Uint8ClampedArray::zeroFill):
998         (JSC::Uint8ClampedArray::set):
999         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1000         (JSC::Uint8ClampedArray::subarray):
1001         * runtime/VM.h:
1002
1003 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1004
1005         Copied space should be able to handle more than one copied backing store per JSCell
1006         https://bugs.webkit.org/show_bug.cgi?id=119471
1007
1008         Reviewed by Mark Hahnenberg.
1009         
1010         This allows a cell to call copyLater() multiple times for multiple different
1011         backing stores, and then have copyBackingStore() called exactly once for each
1012         of those. A token tells it which backing store to copy. All backing stores
1013         must be named using the CopyToken, an enumeration which currently cannot
1014         exceed eight entries.
1015         
1016         When copyBackingStore() is called, it's up to the callee to (a) use the token
1017         to decide what to copy and (b) call its base class's copyBackingStore() in
1018         case the base class had something that needed copying. The only exception is
1019         that JSCell never asks anything to be copied, and so if your base is JSCell
1020         then you don't have to do anything.
1021
1022         * GNUmakefile.list.am:
1023         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1024         * JavaScriptCore.xcodeproj/project.pbxproj:
1025         * heap/CopiedBlock.h:
1026         * heap/CopiedBlockInlines.h:
1027         (JSC::CopiedBlock::reportLiveBytes):
1028         * heap/CopyToken.h: Added.
1029         * heap/CopyVisitor.cpp:
1030         (JSC::CopyVisitor::copyFromShared):
1031         * heap/CopyVisitor.h:
1032         * heap/CopyVisitorInlines.h:
1033         (JSC::CopyVisitor::visitItem):
1034         * heap/CopyWorkList.h:
1035         (JSC::CopyWorklistItem::CopyWorklistItem):
1036         (JSC::CopyWorklistItem::cell):
1037         (JSC::CopyWorklistItem::token):
1038         (JSC::CopyWorkListSegment::get):
1039         (JSC::CopyWorkListSegment::append):
1040         (JSC::CopyWorkListSegment::data):
1041         (JSC::CopyWorkListIterator::get):
1042         (JSC::CopyWorkListIterator::operator*):
1043         (JSC::CopyWorkListIterator::operator->):
1044         (JSC::CopyWorkList::append):
1045         * heap/SlotVisitor.h:
1046         * heap/SlotVisitorInlines.h:
1047         (JSC::SlotVisitor::copyLater):
1048         * runtime/ClassInfo.h:
1049         * runtime/JSCell.cpp:
1050         (JSC::JSCell::copyBackingStore):
1051         * runtime/JSCell.h:
1052         * runtime/JSObject.cpp:
1053         (JSC::JSObject::visitButterfly):
1054         (JSC::JSObject::copyBackingStore):
1055         * runtime/JSObject.h:
1056
1057 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1058
1059         [Automake] Define ENABLE_JIT through the Autoconf header
1060         https://bugs.webkit.org/show_bug.cgi?id=119445
1061
1062         Reviewed by Martin Robinson.
1063
1064         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1065
1066 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1067
1068         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1069         https://bugs.webkit.org/show_bug.cgi?id=119470
1070
1071         Reviewed by Oliver Hunt.
1072         
1073         Structure can still tell you if the object "could" (in the conservative sense)
1074         have an indexing header; that's used by the compiler.
1075         
1076         Most of the time if you want to know if there's an indexing header, you ask the
1077         JSObject.
1078         
1079         In some cases, the JSObject wants to know if it would have an indexing header if
1080         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1081
1082         * dfg/DFGRepatch.cpp:
1083         (JSC::DFG::tryCachePutByID):
1084         (JSC::DFG::tryBuildPutByIdList):
1085         * dfg/DFGSpeculativeJIT.cpp:
1086         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1087         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1088         * runtime/ButterflyInlines.h:
1089         (JSC::Butterfly::create):
1090         (JSC::Butterfly::growPropertyStorage):
1091         (JSC::Butterfly::growArrayRight):
1092         (JSC::Butterfly::resizeArray):
1093         * runtime/JSObject.cpp:
1094         (JSC::JSObject::copyButterfly):
1095         (JSC::JSObject::visitButterfly):
1096         * runtime/JSObject.h:
1097         (JSC::JSObject::hasIndexingHeader):
1098         (JSC::JSObject::setButterfly):
1099         * runtime/Structure.h:
1100         (JSC::Structure::couldHaveIndexingHeader):
1101         (JSC::Structure::hasIndexingHeader):
1102
1103 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1104
1105         Give the error object's stack property accessor attributes.
1106         https://bugs.webkit.org/show_bug.cgi?id=119404
1107
1108         Reviewed by Geoffrey Garen.
1109         
1110         Changed the attributes of error object's stack property to allow developers to write
1111         and delete the stack property. This will match the functionality of Chrome. Firefox  
1112         allows developers to write the error's stack, but not delete it. 
1113
1114         * interpreter/Interpreter.cpp:
1115         (JSC::Interpreter::addStackTraceIfNecessary):
1116         * runtime/ErrorInstance.cpp:
1117         (JSC::ErrorInstance::finishCreation):
1118
1119 2013-08-02  Oliver Hunt  <oliver@apple.com>
1120
1121         Incorrect type speculation reported by ToPrimitive
1122         https://bugs.webkit.org/show_bug.cgi?id=119458
1123
1124         Reviewed by Mark Hahnenberg.
1125
1126         Make sure that we report the correct type possibilities for the output
1127         from ToPrimitive
1128
1129         * dfg/DFGAbstractInterpreterInlines.h:
1130         (JSC::DFG::::executeEffects):
1131
1132 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1133
1134         Remove no-arguments constructor to PropertySlot
1135         https://bugs.webkit.org/show_bug.cgi?id=119460
1136
1137         Reviewed by Geoff Garen.
1138
1139         This constructor was unsafe if getValue is subsequently called,
1140         and the property is a getter. Simplest to just remove it.
1141
1142         * runtime/Arguments.cpp:
1143         (JSC::Arguments::defineOwnProperty):
1144         * runtime/JSActivation.cpp:
1145         (JSC::JSActivation::getOwnPropertyDescriptor):
1146         * runtime/JSFunction.cpp:
1147         (JSC::JSFunction::getOwnPropertyDescriptor):
1148         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1149         (JSC::JSFunction::put):
1150         (JSC::JSFunction::defineOwnProperty):
1151         * runtime/JSGlobalObject.cpp:
1152         (JSC::JSGlobalObject::defineOwnProperty):
1153         * runtime/JSGlobalObject.h:
1154         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1155         * runtime/JSNameScope.cpp:
1156         (JSC::JSNameScope::put):
1157         * runtime/JSONObject.cpp:
1158         (JSC::Stringifier::Holder::appendNextProperty):
1159         (JSC::Walker::walk):
1160         * runtime/JSObject.cpp:
1161         (JSC::JSObject::hasProperty):
1162         (JSC::JSObject::hasOwnProperty):
1163         (JSC::JSObject::reifyStaticFunctionsForDelete):
1164         * runtime/Lookup.h:
1165         (JSC::getStaticPropertyDescriptor):
1166         (JSC::getStaticFunctionDescriptor):
1167         (JSC::getStaticValueDescriptor):
1168         * runtime/ObjectConstructor.cpp:
1169         (JSC::defineProperties):
1170         * runtime/PropertySlot.h:
1171
1172 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1173
1174         DFG validation can cause assertion failures due to dumping
1175         https://bugs.webkit.org/show_bug.cgi?id=119456
1176
1177         Reviewed by Geoffrey Garen.
1178
1179         * bytecode/CodeBlock.cpp:
1180         (JSC::CodeBlock::hasHash):
1181         (JSC::CodeBlock::isSafeToComputeHash):
1182         (JSC::CodeBlock::hash):
1183         (JSC::CodeBlock::dumpAssumingJITType):
1184         * bytecode/CodeBlock.h:
1185
1186 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1187
1188         Have vm's exceptionStack match java's vm's exceptionStack.
1189         https://bugs.webkit.org/show_bug.cgi?id=119362
1190
1191         Reviewed by Geoffrey Garen.
1192         
1193         The error object's stack is only updated if it does not exist yet. This matches 
1194         the functionality of other browsers, and Java VMs. 
1195
1196         * interpreter/Interpreter.cpp:
1197         (JSC::Interpreter::addStackTraceIfNecessary):
1198         (JSC::Interpreter::throwException):
1199         * runtime/VM.cpp:
1200         (JSC::VM::clearExceptionStack):
1201         * runtime/VM.h:
1202         (JSC::VM::lastExceptionStack):
1203
1204 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1205
1206         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1207         https://bugs.webkit.org/show_bug.cgi?id=119447
1208
1209         Reviewed by Geoffrey Garen.
1210
1211         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1212         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1213         r153583 (sh4) and r153648 (ARM).
1214
1215         * jit/JITStubsMIPS.h:
1216
1217 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
1218
1219         hasIndexingHeader should be a property of the Structure, not just the IndexingType
1220         https://bugs.webkit.org/show_bug.cgi?id=119422
1221
1222         Reviewed by Oliver Hunt.
1223         
1224         This simplifies some code and also allows Structure to claim that an object
1225         has an indexing header even if it doesn't have indexed properties.
1226         
1227         I also changed some calls to use hasIndexedProperties() since in some cases,
1228         that's what we actually meant. Currently the two are synonyms.
1229
1230         * dfg/DFGRepatch.cpp:
1231         (JSC::DFG::tryCachePutByID):
1232         (JSC::DFG::tryBuildPutByIdList):
1233         * dfg/DFGSpeculativeJIT.cpp:
1234         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1235         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1236         * runtime/ButterflyInlines.h:
1237         (JSC::Butterfly::create):
1238         (JSC::Butterfly::growPropertyStorage):
1239         (JSC::Butterfly::growArrayRight):
1240         (JSC::Butterfly::resizeArray):
1241         * runtime/IndexingType.h:
1242         * runtime/JSObject.cpp:
1243         (JSC::JSObject::copyButterfly):
1244         (JSC::JSObject::visitButterfly):
1245         (JSC::JSObject::setPrototype):
1246         * runtime/JSObject.h:
1247         (JSC::JSObject::setButterfly):
1248         * runtime/JSPropertyNameIterator.cpp:
1249         (JSC::JSPropertyNameIterator::create):
1250         * runtime/Structure.h:
1251         (JSC::Structure::hasIndexingHeader):
1252
1253 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1254
1255         REGRESSION: ARM still crashes after change set r153612.
1256         https://bugs.webkit.org/show_bug.cgi?id=119433
1257
1258         Reviewed by Michael Saboff.
1259
1260         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1261         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1262         for sh4 architecture.
1263
1264         * jit/JITStubsARM.h:
1265         * jit/JITStubsARMv7.h:
1266
1267 2013-08-02  Michael Saboff  <msaboff@apple.com>
1268
1269         REGRESSION(r153612): It made jsc and layout tests crash
1270         https://bugs.webkit.org/show_bug.cgi?id=119440
1271
1272         Reviewed by Csaba Osztrogonác.
1273
1274         Made the changes if changeset r153612 only apply to 32 bit builds.
1275
1276         * jit/JITExceptions.cpp:
1277         * jit/JITExceptions.h:
1278         * jit/JITStubs.cpp:
1279         (JSC::cti_vm_throw_slowpath):
1280         * jit/JITStubs.h:
1281
1282 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
1283
1284         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
1285
1286         * CMakeLists.txt:
1287
1288 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
1289
1290         [Forms: color] <input type='color'> popover color well implementation
1291         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
1292
1293         Reviewed by Benjamin Poulain.
1294
1295         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
1296
1297 2013-08-01  Oliver Hunt  <oliver@apple.com>
1298
1299         DFG is not enforcing correct ordering of ToString conversion in MakeRope
1300         https://bugs.webkit.org/show_bug.cgi?id=119408
1301
1302         Reviewed by Filip Pizlo.
1303
1304         Construct ToString and Phantom nodes in advance of MakeRope
1305         nodes to ensure that ordering is ensured, and correct values
1306         will be reified on OSR exit.
1307
1308         * dfg/DFGByteCodeParser.cpp:
1309         (JSC::DFG::ByteCodeParser::parseBlock):
1310
1311 2013-08-01  Michael Saboff  <msaboff@apple.com>
1312
1313         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
1314         https://bugs.webkit.org/show_bug.cgi?id=119140
1315
1316         Reviewed by Filip Pizlo.
1317
1318         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
1319
1320         * jit/JITExceptions.cpp:
1321         (JSC::encode):
1322         * jit/JITExceptions.h:
1323         * jit/JITStubs.cpp:
1324         (JSC::cti_vm_throw_slowpath):
1325         * jit/JITStubs.h:
1326
1327 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
1328
1329         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
1330         https://bugs.webkit.org/show_bug.cgi?id=119391
1331
1332         Reviewed by Csaba Osztrogonác.
1333
1334         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
1335             - Call frame is in r14 register.
1336             - Do not restore registers from JIT stack frame here.
1337
1338 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1339
1340         More cleanup in PropertySlot
1341         https://bugs.webkit.org/show_bug.cgi?id=119359
1342
1343         Reviewed by Geoff Garen.
1344
1345         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
1346         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
1347
1348         * dfg/DFGRepatch.cpp:
1349         (JSC::DFG::tryCacheGetByID):
1350         (JSC::DFG::tryBuildGetByIDList):
1351             - No need to ASSERT slotBase is an object.
1352         * jit/JITStubs.cpp:
1353         (JSC::tryCacheGetByID):
1354         (JSC::DEFINE_STUB_FUNCTION):
1355             - No need to ASSERT slotBase is an object.
1356         * runtime/JSObject.cpp:
1357         (JSC::JSObject::getOwnPropertySlotByIndex):
1358         (JSC::JSObject::fillGetterPropertySlot):
1359             - Pass an object through to setGetterSlot.
1360         * runtime/JSObject.h:
1361         (JSC::PropertySlot::getValue):
1362             - Moved from PropertySlot (need to know anout JSObject).
1363         * runtime/PropertySlot.cpp:
1364         (JSC::PropertySlot::functionGetter):
1365             - update per member name changes
1366         * runtime/PropertySlot.h:
1367         (JSC::PropertySlot::PropertySlot):
1368             - Argument to constructor set to 'thisValue'.
1369         (JSC::PropertySlot::slotBase):
1370             - This returns a JSObject*.
1371         (JSC::PropertySlot::setValue):
1372         (JSC::PropertySlot::setCustom):
1373         (JSC::PropertySlot::setCacheableCustom):
1374         (JSC::PropertySlot::setCustomIndex):
1375         (JSC::PropertySlot::setGetterSlot):
1376         (JSC::PropertySlot::setCacheableGetterSlot):
1377             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
1378         * runtime/SparseArrayValueMap.cpp:
1379         (JSC::SparseArrayEntry::get):
1380             - Pass an object through to setGetterSlot.
1381         * runtime/SparseArrayValueMap.h:
1382             - Pass an object through to setGetterSlot.
1383
1384 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
1385
1386         Reduce JSC API static value setter/getter overhead.
1387         https://bugs.webkit.org/show_bug.cgi?id=119277
1388
1389         Reviewed by Geoffrey Garen.
1390
1391         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
1392         need to get called every time when set or get the static value.
1393
1394         * API/JSCallbackObjectFunctions.h:
1395         (JSC::::put):
1396         (JSC::::putByIndex):
1397         (JSC::::getStaticValue):
1398         * API/JSClassRef.cpp:
1399         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1400         * API/JSClassRef.h:
1401         (StaticValueEntry::StaticValueEntry):
1402
1403 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
1404
1405         Use emptyString instead of String("")
1406         https://bugs.webkit.org/show_bug.cgi?id=119335
1407
1408         Reviewed by Darin Adler.
1409
1410         Use emptyString() instead of String("") because it is better style and
1411         faster. This is a followup to r116908, removing all occurrences of
1412         String("") from WebKit.
1413
1414         * runtime/RegExpConstructor.cpp:
1415         (JSC::constructRegExp):
1416         * runtime/RegExpPrototype.cpp:
1417         (JSC::regExpProtoFuncCompile):
1418         * runtime/StringPrototype.cpp:
1419         (JSC::stringProtoFuncMatch):
1420         (JSC::stringProtoFuncSearch):
1421
1422 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
1423
1424         <input type=color> Mac UI behaviour
1425         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
1426
1427         Reviewed by Brady Eidson.
1428
1429         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
1430
1431 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
1432
1433         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
1434         https://bugs.webkit.org/show_bug.cgi?id=119349
1435
1436         Reviewed by Geoffrey Garen.
1437
1438         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
1439         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
1440         on code it compiled with any switch statements to have been run in the baseline JIT first. 
1441         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
1442         JIT then this resizing never happens and we crash at link time in the DFG.
1443
1444         We can fix this by also doing the resize in the DFG to catch this case.
1445
1446         * dfg/DFGJITCompiler.cpp:
1447         (JSC::DFG::JITCompiler::link):
1448
1449 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1450
1451         Speculative Windows build fix.
1452
1453         Reviewed by NOBODY
1454
1455         * runtime/JSString.cpp:
1456         (JSC::JSRopeString::getIndexSlowCase):
1457         * runtime/JSString.h:
1458
1459 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
1460
1461         Some cleanup in JSValue::get
1462         https://bugs.webkit.org/show_bug.cgi?id=119343
1463
1464         Reviewed by Geoff Garen.
1465
1466         JSValue::get is implemented to:
1467             1) Check if the value is a cell – if not, synthesize a prototype to search,
1468             2) call getOwnPropertySlot on the cell,
1469             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
1470         By all rights this should crash when passed a string and accessing a property that does not exist, because
1471         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
1472         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
1473         prototype chain, and faking out a return value of undefined if no property is found.
1474
1475         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
1476         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
1477
1478         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
1479         slots anyway.
1480
1481         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
1482
1483 2013-07-31  Michael Saboff  <msaboff@apple.com>
1484
1485         [Win] JavaScript crash.
1486         https://bugs.webkit.org/show_bug.cgi?id=119339
1487
1488         Reviewed by Mark Hahnenberg.
1489
1490         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
1491         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
1492
1493 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1494
1495         GetByVal on Arguments does the wrong size load when checking the Arguments object length
1496         https://bugs.webkit.org/show_bug.cgi?id=119281
1497
1498         Reviewed by Geoffrey Garen.
1499
1500         This leads to out of bounds accesses and subsequent crashes.
1501
1502         * dfg/DFGSpeculativeJIT.cpp:
1503         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1504         * dfg/DFGSpeculativeJIT64.cpp:
1505         (JSC::DFG::SpeculativeJIT::compile):
1506
1507 2013-07-30  Oliver Hunt  <oliver@apple.com>
1508
1509         Add an assertion to SpeculateCellOperand
1510         https://bugs.webkit.org/show_bug.cgi?id=119276
1511
1512         Reviewed by Michael Saboff.
1513
1514         More assertions are better
1515
1516         * dfg/DFGSpeculativeJIT64.cpp:
1517         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1518         (JSC::DFG::SpeculativeJIT::compile):
1519
1520 2013-07-30  Mark Lam  <mark.lam@apple.com>
1521
1522         Fix problems with divot and lineStart mismatches.
1523         https://bugs.webkit.org/show_bug.cgi?id=118662.
1524
1525         Reviewed by Oliver Hunt.
1526
1527         r152494 added the recording of lineStart values for divot positions.
1528         This is needed for the computation of column numbers. Similarly, it also
1529         added the recording of line numbers for the divot positions. One problem
1530         with the approach taken was that the line and lineStart values were
1531         recorded independently, and hence were not always guaranteed to be
1532         sampled at the same place that the divot position is recorded. This
1533         resulted in potential mismatches that cause some assertions to fail.
1534
1535         The solution is to introduce a JSTextPosition abstraction that records
1536         the divot position, line, and lineStart as a single quantity. Wherever
1537         we record the divot position as an unsigned int previously, we now record
1538         its JSTextPosition which captures all 3 values in one go. This ensures
1539         that the captured line and lineStart will always match the captured divot
1540         position.
1541
1542         * bytecompiler/BytecodeGenerator.cpp:
1543         (JSC::BytecodeGenerator::emitCall):
1544         (JSC::BytecodeGenerator::emitCallEval):
1545         (JSC::BytecodeGenerator::emitCallVarargs):
1546         (JSC::BytecodeGenerator::emitConstruct):
1547         (JSC::BytecodeGenerator::emitDebugHook):
1548         - Use JSTextPosition instead of passing line and lineStart explicitly.
1549         * bytecompiler/BytecodeGenerator.h:
1550         (JSC::BytecodeGenerator::emitExpressionInfo):
1551         - Use JSTextPosition instead of passing line and lineStart explicitly.
1552         * bytecompiler/NodesCodegen.cpp:
1553         (JSC::ThrowableExpressionData::emitThrowReferenceError):
1554         (JSC::ResolveNode::emitBytecode):
1555         (JSC::BracketAccessorNode::emitBytecode):
1556         (JSC::DotAccessorNode::emitBytecode):
1557         (JSC::NewExprNode::emitBytecode):
1558         (JSC::EvalFunctionCallNode::emitBytecode):
1559         (JSC::FunctionCallValueNode::emitBytecode):
1560         (JSC::FunctionCallResolveNode::emitBytecode):
1561         (JSC::FunctionCallBracketNode::emitBytecode):
1562         (JSC::FunctionCallDotNode::emitBytecode):
1563         (JSC::CallFunctionCallDotNode::emitBytecode):
1564         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1565         (JSC::PostfixNode::emitResolve):
1566         (JSC::PostfixNode::emitBracket):
1567         (JSC::PostfixNode::emitDot):
1568         (JSC::DeleteResolveNode::emitBytecode):
1569         (JSC::DeleteBracketNode::emitBytecode):
1570         (JSC::DeleteDotNode::emitBytecode):
1571         (JSC::PrefixNode::emitResolve):
1572         (JSC::PrefixNode::emitBracket):
1573         (JSC::PrefixNode::emitDot):
1574         (JSC::UnaryOpNode::emitBytecode):
1575         (JSC::BinaryOpNode::emitStrcat):
1576         (JSC::BinaryOpNode::emitBytecode):
1577         (JSC::ThrowableBinaryOpNode::emitBytecode):
1578         (JSC::InstanceOfNode::emitBytecode):
1579         (JSC::emitReadModifyAssignment):
1580         (JSC::ReadModifyResolveNode::emitBytecode):
1581         (JSC::AssignResolveNode::emitBytecode):
1582         (JSC::AssignDotNode::emitBytecode):
1583         (JSC::ReadModifyDotNode::emitBytecode):
1584         (JSC::AssignBracketNode::emitBytecode):
1585         (JSC::ReadModifyBracketNode::emitBytecode):
1586         (JSC::ForInNode::emitBytecode):
1587         (JSC::WithNode::emitBytecode):
1588         (JSC::ThrowNode::emitBytecode):
1589         - Use JSTextPosition instead of passing line and lineStart explicitly.
1590         * parser/ASTBuilder.h:
1591         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
1592         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
1593         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
1594         (JSC::ASTBuilder::createResolve):
1595         (JSC::ASTBuilder::createBracketAccess):
1596         (JSC::ASTBuilder::createDotAccess):
1597         (JSC::ASTBuilder::createRegExp):
1598         (JSC::ASTBuilder::createNewExpr):
1599         (JSC::ASTBuilder::createAssignResolve):
1600         (JSC::ASTBuilder::createExprStatement):
1601         (JSC::ASTBuilder::createForInLoop):
1602         (JSC::ASTBuilder::createReturnStatement):
1603         (JSC::ASTBuilder::createBreakStatement):
1604         (JSC::ASTBuilder::createContinueStatement):
1605         (JSC::ASTBuilder::createLabelStatement):
1606         (JSC::ASTBuilder::createWithStatement):
1607         (JSC::ASTBuilder::createThrowStatement):
1608         (JSC::ASTBuilder::appendBinaryExpressionInfo):
1609         (JSC::ASTBuilder::appendUnaryToken):
1610         (JSC::ASTBuilder::unaryTokenStackLastStart):
1611         (JSC::ASTBuilder::assignmentStackAppend):
1612         (JSC::ASTBuilder::createAssignment):
1613         (JSC::ASTBuilder::setExceptionLocation):
1614         (JSC::ASTBuilder::makeDeleteNode):
1615         (JSC::ASTBuilder::makeFunctionCallNode):
1616         (JSC::ASTBuilder::makeBinaryNode):
1617         (JSC::ASTBuilder::makeAssignNode):
1618         (JSC::ASTBuilder::makePrefixNode):
1619         (JSC::ASTBuilder::makePostfixNode):
1620         - Use JSTextPosition instead of passing line and lineStart explicitly.
1621         * parser/Lexer.cpp:
1622         (JSC::::lex):
1623         - Added support for capturing the appropriate JSTextPositions instead
1624           of just the character offset.
1625         * parser/Lexer.h:
1626         (JSC::Lexer::currentPosition):
1627         (JSC::::lexExpectIdentifier):
1628         - Added support for capturing the appropriate JSTextPositions instead
1629           of just the character offset.
1630         * parser/NodeConstructors.h:
1631         (JSC::Node::Node):
1632         (JSC::ResolveNode::ResolveNode):
1633         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
1634         (JSC::FunctionCallValueNode::FunctionCallValueNode):
1635         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
1636         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
1637         (JSC::FunctionCallDotNode::FunctionCallDotNode):
1638         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
1639         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
1640         (JSC::PostfixNode::PostfixNode):
1641         (JSC::DeleteResolveNode::DeleteResolveNode):
1642         (JSC::DeleteBracketNode::DeleteBracketNode):
1643         (JSC::DeleteDotNode::DeleteDotNode):
1644         (JSC::PrefixNode::PrefixNode):
1645         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1646         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
1647         (JSC::AssignBracketNode::AssignBracketNode):
1648         (JSC::AssignDotNode::AssignDotNode):
1649         (JSC::ReadModifyDotNode::ReadModifyDotNode):
1650         (JSC::AssignErrorNode::AssignErrorNode):
1651         (JSC::WithNode::WithNode):
1652         (JSC::ForInNode::ForInNode):
1653         - Use JSTextPosition instead of passing line and lineStart explicitly.
1654         * parser/Nodes.cpp:
1655         (JSC::StatementNode::setLoc):
1656         - Use JSTextPosition instead of passing line and lineStart explicitly.
1657         * parser/Nodes.h:
1658         (JSC::Node::lineNo):
1659         (JSC::Node::startOffset):
1660         (JSC::Node::lineStartOffset):
1661         (JSC::Node::position):
1662         (JSC::ThrowableExpressionData::ThrowableExpressionData):
1663         (JSC::ThrowableExpressionData::setExceptionSourceCode):
1664         (JSC::ThrowableExpressionData::divot):
1665         (JSC::ThrowableExpressionData::divotStart):
1666         (JSC::ThrowableExpressionData::divotEnd):
1667         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
1668         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
1669         (JSC::ThrowableSubExpressionData::subexpressionDivot):
1670         (JSC::ThrowableSubExpressionData::subexpressionStart):
1671         (JSC::ThrowableSubExpressionData::subexpressionEnd):
1672         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
1673         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
1674         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
1675         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
1676         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
1677         - Use JSTextPosition instead of passing line and lineStart explicitly.
1678         * parser/Parser.cpp:
1679         (JSC::::Parser):
1680         (JSC::::parseInner):
1681         - Use JSTextPosition instead of passing line and lineStart explicitly.
1682         (JSC::::didFinishParsing):
1683         - Remove setting of m_lastLine value. We always pass in the value from
1684           m_lastLine anyway. So, this assignment is effectively a nop.
1685         (JSC::::parseVarDeclaration):
1686         (JSC::::parseVarDeclarationList):
1687         (JSC::::parseForStatement):
1688         (JSC::::parseBreakStatement):
1689         (JSC::::parseContinueStatement):
1690         (JSC::::parseReturnStatement):
1691         (JSC::::parseThrowStatement):
1692         (JSC::::parseWithStatement):
1693         (JSC::::parseTryStatement):
1694         (JSC::::parseBlockStatement):
1695         (JSC::::parseFunctionDeclaration):
1696         (JSC::LabelInfo::LabelInfo):
1697         (JSC::::parseExpressionOrLabelStatement):
1698         (JSC::::parseExpressionStatement):
1699         (JSC::::parseAssignmentExpression):
1700         (JSC::::parseBinaryExpression):
1701         (JSC::::parseProperty):
1702         (JSC::::parsePrimaryExpression):
1703         (JSC::::parseMemberExpression):
1704         (JSC::::parseUnaryExpression):
1705         - Use JSTextPosition instead of passing line and lineStart explicitly.
1706         * parser/Parser.h:
1707         (JSC::Parser::next):
1708         (JSC::Parser::nextExpectIdentifier):
1709         (JSC::Parser::getToken):
1710         (JSC::Parser::tokenStartPosition):
1711         (JSC::Parser::tokenEndPosition):
1712         (JSC::Parser::lastTokenEndPosition):
1713         (JSC::::parse):
1714         - Use JSTextPosition instead of passing line and lineStart explicitly.
1715         * parser/ParserTokens.h:
1716         (JSC::JSTextPosition::JSTextPosition):
1717         (JSC::JSTextPosition::operator+):
1718         (JSC::JSTextPosition::operator-):
1719         (JSC::JSTextPosition::operator int):
1720         - Added JSTextPosition.
1721         * parser/SyntaxChecker.h:
1722         (JSC::SyntaxChecker::makeFunctionCallNode):
1723         (JSC::SyntaxChecker::makeAssignNode):
1724         (JSC::SyntaxChecker::makePrefixNode):
1725         (JSC::SyntaxChecker::makePostfixNode):
1726         (JSC::SyntaxChecker::makeDeleteNode):
1727         (JSC::SyntaxChecker::createResolve):
1728         (JSC::SyntaxChecker::createBracketAccess):
1729         (JSC::SyntaxChecker::createDotAccess):
1730         (JSC::SyntaxChecker::createRegExp):
1731         (JSC::SyntaxChecker::createNewExpr):
1732         (JSC::SyntaxChecker::createAssignResolve):
1733         (JSC::SyntaxChecker::createForInLoop):
1734         (JSC::SyntaxChecker::createReturnStatement):
1735         (JSC::SyntaxChecker::createBreakStatement):
1736         (JSC::SyntaxChecker::createContinueStatement):
1737         (JSC::SyntaxChecker::createWithStatement):
1738         (JSC::SyntaxChecker::createLabelStatement):
1739         (JSC::SyntaxChecker::createThrowStatement):
1740         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1741         (JSC::SyntaxChecker::operatorStackPop):
1742         - Use JSTextPosition instead of passing line and lineStart explicitly.
1743
1744 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
1745
1746         Unreviewed. Fix make distcheck.
1747
1748         * GNUmakefile.list.am: Add missing files to compilation.
1749         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
1750         include FTL header files not included in the compilation.
1751         * dfg/DFGDriver.cpp: Ditto.
1752         * dfg/DFGPlan.cpp: Ditto.
1753
1754 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
1755
1756         Eager stack trace for error objects.
1757         https://bugs.webkit.org/show_bug.cgi?id=118918
1758
1759         Reviewed by Geoffrey Garen.
1760         
1761         Chrome and Firefox give error objects the stack property and we wanted to match
1762         that functionality. This allows developers to see the stack without throwing an object.
1763
1764         * runtime/ErrorInstance.cpp:
1765         (JSC::ErrorInstance::finishCreation):
1766          For error objects that are not thrown as an exception, we pass the stackTrace in 
1767          as a parameter. This allows the error object to have the stack property.
1768         
1769         * interpreter/Interpreter.cpp:
1770         (JSC::stackTraceAsString):
1771         Helper function used to eliminate duplicate code.
1772
1773         (JSC::Interpreter::addStackTraceIfNecessary):
1774         When an error object is created by the user the vm->exceptionStack is not set.
1775         If the user throws this error object later the stack that is in the error object 
1776         may not be the correct stack for the throw, so when we set the vm->exception stack,
1777         the stack property on the error object is set as well.
1778         
1779         * runtime/ErrorConstructor.cpp:
1780         (JSC::constructWithErrorConstructor):
1781         (JSC::callErrorConstructor):
1782         * runtime/NativeErrorConstructor.cpp:
1783         (JSC::constructWithNativeErrorConstructor):
1784         (JSC::callNativeErrorConstructor):
1785         These functions indicate that the user created an error object. For all error objects 
1786         that the user explicitly creates, the topCallFrame is at a new frame created to 
1787         handle the user's call. In this case though, the error object needs the caller's 
1788         frame to create the stack trace correctly.
1789         
1790         * interpreter/Interpreter.h:
1791         * runtime/ErrorInstance.h:
1792         (JSC::ErrorInstance::create):
1793
1794 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
1795
1796         Some cleanup in PropertySlot
1797         https://bugs.webkit.org/show_bug.cgi?id=119189
1798
1799         Reviewed by Geoff Garen.
1800
1801         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
1802         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
1803         is set to a special value to indicate the type (other than custom), and the type is also tracked by
1804         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
1805         (this is invalidOffset if not cacheable).
1806
1807             * Internally, always track the type of the property using an enum value, PropertyType.
1808             * Use m_offset to indicate cacheable.
1809             * Keep the external interface (CachedPropertyType) unchanged.
1810             * Better pack data into the m_data union.
1811
1812         Performance neutral.
1813
1814         * dfg/DFGRepatch.cpp:
1815         (JSC::DFG::tryCacheGetByID):
1816         (JSC::DFG::tryBuildGetByIDList):
1817             - cachedPropertyType() -> isCacheable*()
1818         * jit/JITPropertyAccess.cpp:
1819         (JSC::JIT::privateCompileGetByIdProto):
1820         (JSC::JIT::privateCompileGetByIdSelfList):
1821         (JSC::JIT::privateCompileGetByIdProtoList):
1822         (JSC::JIT::privateCompileGetByIdChainList):
1823         (JSC::JIT::privateCompileGetByIdChain):
1824             - cachedPropertyType() -> isCacheable*()
1825         * jit/JITPropertyAccess32_64.cpp:
1826         (JSC::JIT::privateCompileGetByIdProto):
1827         (JSC::JIT::privateCompileGetByIdSelfList):
1828         (JSC::JIT::privateCompileGetByIdProtoList):
1829         (JSC::JIT::privateCompileGetByIdChainList):
1830         (JSC::JIT::privateCompileGetByIdChain):
1831             - cachedPropertyType() -> isCacheable*()
1832         * jit/JITStubs.cpp:
1833         (JSC::tryCacheGetByID):
1834             - cachedPropertyType() -> isCacheable*()
1835         * llint/LLIntSlowPaths.cpp:
1836         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1837             - cachedPropertyType() -> isCacheable*()
1838         * runtime/PropertySlot.cpp:
1839         (JSC::PropertySlot::functionGetter):
1840             - refactoring described above.
1841         * runtime/PropertySlot.h:
1842         (JSC::PropertySlot::PropertySlot):
1843         (JSC::PropertySlot::getValue):
1844         (JSC::PropertySlot::isCacheable):
1845         (JSC::PropertySlot::isCacheableValue):
1846         (JSC::PropertySlot::isCacheableGetter):
1847         (JSC::PropertySlot::isCacheableCustom):
1848         (JSC::PropertySlot::cachedOffset):
1849         (JSC::PropertySlot::customGetter):
1850         (JSC::PropertySlot::setValue):
1851         (JSC::PropertySlot::setCustom):
1852         (JSC::PropertySlot::setCacheableCustom):
1853         (JSC::PropertySlot::setCustomIndex):
1854         (JSC::PropertySlot::setGetterSlot):
1855         (JSC::PropertySlot::setCacheableGetterSlot):
1856         (JSC::PropertySlot::setUndefined):
1857         (JSC::PropertySlot::slotBase):
1858         (JSC::PropertySlot::setBase):
1859             - refactoring described above.
1860
1861 2013-07-28  Oliver Hunt  <oliver@apple.com>
1862
1863         REGRESSION: Crash when opening Facebook.com
1864         https://bugs.webkit.org/show_bug.cgi?id=119155
1865
1866         Reviewed by Andreas Kling.
1867
1868         Scope nodes are always objects, so we should be using SpecObjectOther
1869         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
1870         contradiction in the CFA, resulting in bogus codegen.
1871
1872         * dfg/DFGAbstractInterpreterInlines.h:
1873         (JSC::DFG::::executeEffects):
1874         * dfg/DFGPredictionPropagationPhase.cpp:
1875         (JSC::DFG::PredictionPropagationPhase::propagate):
1876
1877 2013-07-26  Oliver Hunt  <oliver@apple.com>
1878
1879         REGRESSION(FTL?): Crashes in plugin tests
1880         https://bugs.webkit.org/show_bug.cgi?id=119141
1881
1882         Reviewed by Michael Saboff.
1883
1884         Re-export getStackTrace
1885
1886         * interpreter/Interpreter.h:
1887
1888 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
1889
1890         REGRESSION: Crash when opening a message on Gmail
1891         https://bugs.webkit.org/show_bug.cgi?id=119105
1892
1893         Reviewed by Oliver Hunt and Mark Hahnenberg.
1894         
1895         - GetById patching in the DFG needs to be more disciplined about how it derives the
1896           slow path.
1897         
1898         - Fix some dumping code thread safety issues.
1899
1900         * bytecode/CallLinkStatus.cpp:
1901         (JSC::CallLinkStatus::dump):
1902         * bytecode/CodeBlock.cpp:
1903         (JSC::CodeBlock::dumpBytecode):
1904         * dfg/DFGRepatch.cpp:
1905         (JSC::DFG::getPolymorphicStructureList):
1906         (JSC::DFG::tryBuildGetByIDList):
1907
1908 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
1909
1910         [mips] Fix LLINT build for mips backend
1911         https://bugs.webkit.org/show_bug.cgi?id=119152
1912
1913         Reviewed by Oliver Hunt.
1914
1915         * offlineasm/mips.rb:
1916
1917 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1918
1919         Setting a large numeric property on an object causes it to allocate a huge backing store
1920         https://bugs.webkit.org/show_bug.cgi?id=118914
1921
1922         Reviewed by Geoffrey Garen.
1923
1924         There are two distinct actions that we're trying to optimize for:
1925
1926         new Array(100000);
1927
1928         and:
1929
1930         a = [];
1931         a[100000] = 42;
1932         
1933         In the first case, the programmer has indicated that they expect this Array to be very big, 
1934         so they should get a contiguous array up until some threshold, above which we perform density 
1935         calculations to see if it is indeed dense enough to warrant being contiguous.
1936         
1937         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
1938         we should be more conservative and assume it should be sparse until we've proven otherwise.
1939         
1940         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
1941         between them for the purposes of not over-allocating large backing stores like we see on 
1942         http://www.peekanalytics.com/burgerjoints/
1943         
1944         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
1945         introduce a new heuristic for the second case. If we are putting to an index above a certain 
1946         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
1947         map instead. So for example, in the second case above the empty array has a blank indexing 
1948         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
1949
1950         This fix is ~800x speedup on the accompanying regression test :-o
1951
1952         * runtime/ArrayConventions.h:
1953         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
1954         * runtime/JSObject.cpp:
1955         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1956         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1957         (JSC::JSObject::putByIndexBeyondVectorLength):
1958         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1959
1960 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1961
1962         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
1963         https://bugs.webkit.org/show_bug.cgi?id=119148
1964
1965         Reviewed by Csaba Osztrogonác.
1966
1967         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
1968         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
1969         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
1970         code duplication.
1971
1972 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1973
1974         REGRESSION(FTL): Crash in sh4 baseline JIT.
1975         https://bugs.webkit.org/show_bug.cgi?id=119138
1976
1977         Reviewed by Csaba Osztrogonác.
1978
1979         This crash is due to incomplete report of r150146 and r148474.
1980
1981         * jit/JITStubsSH4.h:
1982
1983 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
1984
1985         Unreviewed.
1986
1987         * Target.pri: Adding missing DFG files to the Qt build.
1988
1989 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
1990
1991         GTK and Qt buildfix after the intrusive win buildfix r153360.
1992
1993         * GNUmakefile.list.am:
1994         * Target.pri:
1995
1996 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1997
1998         Unreviewed, fix build break after r153360.
1999
2000         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2001
2002 2013-07-25  Roger Fong  <roger_fong@apple.com>
2003
2004         Unreviewed build fix, AppleWin port.
2005
2006         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2007         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2008         * JavaScriptCore.vcxproj/copy-files.cmd:
2009
2010 2013-07-25  Roger Fong  <roger_fong@apple.com>
2011
2012         Unreviewed. Followup to r153360.
2013
2014         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2015         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2016
2017 2013-07-25  Michael Saboff  <msaboff@apple.com>
2018
2019         [Windows] Speculative build fix.
2020
2021         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2022         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2023
2024         * JavaScriptCore.xcodeproj/project.pbxproj:
2025         * llint/LLIntExceptions.cpp:
2026         * llint/LLIntExceptions.h:
2027         * llint/LLIntSlowPaths.cpp:
2028         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2029         * runtime/CommonSlowPaths.cpp:
2030         (JSC::SLOW_PATH_DECL):
2031         * runtime/CommonSlowPathsExceptions.cpp: Added.
2032         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2033         * runtime/CommonSlowPathsExceptions.h: Added.
2034
2035 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2036
2037         [Windows] Unreviewed build fix.
2038
2039         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2040         parser/SourceCode.h,.cpp.
2041         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2042
2043 2013-07-25  Anders Carlsson  <andersca@apple.com>
2044
2045         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2046         https://bugs.webkit.org/show_bug.cgi?id=119108
2047
2048         Reviewed by Mark Hahnenberg.
2049
2050         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2051
2052         * heap/CopiedSpace.cpp:
2053         (JSC::CopiedSpace::tryAllocateSlowCase):
2054         * heap/Heap.cpp:
2055         (JSC::Heap::protect):
2056         (JSC::Heap::unprotect):
2057         (JSC::Heap::collect):
2058         * heap/MarkedAllocator.cpp:
2059         (JSC::MarkedAllocator::allocateSlowCase):
2060         * runtime/JSGlobalObject.cpp:
2061         (JSC::JSGlobalObject::init):
2062         * runtime/VM.h:
2063         (JSC::VM::currentThreadIsHoldingAPILock):
2064
2065 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2066
2067         REGRESSION(FTL): Most layout tests crashes
2068         https://bugs.webkit.org/show_bug.cgi?id=119089
2069
2070         Reviewed by Oliver Hunt.
2071
2072         * runtime/ExecutionHarness.h:
2073         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2074         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2075         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2076         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2077         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2078         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2079
2080 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2081
2082         [Windows] Unreviewed build fix.
2083
2084         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2085         include path.
2086
2087 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2088
2089         [Windows] Unreviewed build fix.
2090
2091         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2092         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2093         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2094
2095 2013-07-25  Oliver Hunt  <oliver@apple.com>
2096
2097         Make all jit & non-jit combos build cleanly
2098         https://bugs.webkit.org/show_bug.cgi?id=119102
2099
2100         Reviewed by Anders Carlsson.
2101
2102         * bytecode/CodeBlock.cpp:
2103         (JSC::CodeBlock::counterValueForOptimizeSoon):
2104         * bytecode/CodeBlock.h:
2105         (JSC::CodeBlock::optimizeAfterWarmUp):
2106         (JSC::CodeBlock::numberOfDFGCompiles):
2107
2108 2013-07-25  Oliver Hunt  <oliver@apple.com>
2109
2110         32 bit portion of load validation logic
2111         https://bugs.webkit.org/show_bug.cgi?id=118878
2112
2113         Reviewed by NOBODY (Build fix).
2114
2115         * dfg/DFGSpeculativeJIT32_64.cpp:
2116         (JSC::DFG::SpeculativeJIT::compile):
2117
2118 2013-07-25  Oliver Hunt  <oliver@apple.com>
2119
2120         More 32bit build fixes
2121
2122         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2123
2124         * API/APICallbackFunction.h:
2125         (JSC::APICallbackFunction::call):
2126         * bytecode/CodeBlock.cpp:
2127         * runtime/Structure.cpp:
2128
2129 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2130
2131         Optimize the thread locks for API Shims
2132         https://bugs.webkit.org/show_bug.cgi?id=118573
2133
2134         Reviewed by Geoffrey Garen.
2135
2136         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2137         only used by WebCore's main thread).
2138
2139         * API/APIShims.h:
2140         (JSC::APIEntryShim::APIEntryShim):
2141         (JSC::APICallbackShim::APICallbackShim):
2142         * runtime/JSLock.cpp:
2143         (JSC::JSLockHolder::JSLockHolder):
2144         (JSC::JSLockHolder::init):
2145         (JSC::JSLockHolder::~JSLockHolder):
2146         (JSC::JSLock::DropAllLocks::DropAllLocks):
2147         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2148         * runtime/VM.cpp:
2149         (JSC::VM::VM):
2150         * runtime/VM.h:
2151
2152 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2153
2154         Unreviewed build fix after r153218.
2155
2156         Broke the EFL port build with gcc 4.7.
2157
2158         * interpreter/StackIterator.cpp:
2159         (JSC::printif):
2160
2161 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2162
2163         Build fix: add missing #include.
2164         https://bugs.webkit.org/show_bug.cgi?id=119087
2165
2166         Reviewed by Allan Sandfeld Jensen.
2167
2168         * bytecode/ArrayProfile.cpp:
2169
2170 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2171
2172         Unreviewed, build fix on the EFL port.
2173
2174         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2175
2176 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2177
2178         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2179         https://bugs.webkit.org/show_bug.cgi?id=119083
2180
2181         Reviewed by Allan Sandfeld Jensen.
2182
2183         * assembler/MacroAssemblerSH4.h:
2184         (JSC::MacroAssemblerSH4::store8):
2185
2186 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2187
2188         [Qt] Fix test build after FTL upstream
2189
2190         Unreviewed build fix.
2191
2192         * Target.pri:
2193
2194 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2195
2196         [Qt] Build fix after FTL.
2197
2198         Un Reviewed build fix.
2199
2200         * Target.pri:
2201         * interpreter/StackIterator.cpp:
2202         (JSC::StackIterator::Frame::print):
2203
2204 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2205
2206         Unreviewed build fix after FTL upstream.
2207
2208         * dfg/DFGWorklist.cpp:
2209         (JSC::DFG::Worklist::~Worklist):
2210
2211 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2212
2213         Unreviewed, build fix on the EFL port.
2214
2215         * CMakeLists.txt:
2216         Added SourceCode.cpp and removed BlackBerry file.
2217         * jit/JITCode.h:
2218         (JSC::JITCode::nextTierJIT):
2219         Fixed to build break because of -Werror=return-type
2220         * parser/Lexer.cpp: Includes JSFunctionInlines.h
2221         * runtime/JSScope.h:
2222         (JSC::makeType):
2223         Fixed to build break because of -Werror=return-type
2224
2225 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2226
2227         Unreviewed build fixing after FTL upstream.
2228
2229         * runtime/Executable.cpp:
2230         (JSC::FunctionExecutable::produceCodeBlockFor):
2231
2232 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2233
2234         Add missing implementation of bxxxnz in sh4 LLINT.
2235         https://bugs.webkit.org/show_bug.cgi?id=119079
2236
2237         Reviewed by Allan Sandfeld Jensen.
2238
2239         * offlineasm/sh4.rb:
2240
2241 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2242
2243         Unreviewed, build fix on the Qt port.
2244
2245         * Target.pri: Add additional build files for the FTL.
2246
2247 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2248
2249         Unreviewed buildfix after FTL upstream..
2250
2251         * interpreter/StackIterator.cpp:
2252         (JSC::StackIterator::Frame::codeType):
2253         (JSC::StackIterator::Frame::functionName):
2254         (JSC::StackIterator::Frame::sourceURL):
2255         (JSC::StackIterator::Frame::logicalFrame):
2256
2257 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2258
2259         Unreviewed.
2260
2261         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2262         method is not left undefined, causing build failures on (at least) the GTK port.
2263
2264 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2265
2266         Unreviewed, further build fixing on the GTK port.
2267
2268         * GNUmakefile.list.am: Add CompilationResult source files to the build.
2269
2270 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2271
2272         Unreviewed GTK build fixing.
2273
2274         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2275         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2276
2277 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2278
2279         Buildfix after this error:
2280         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
2281
2282         * dfg/DFGPlan.cpp:
2283         (JSC::DFG::Plan::compileInThread):
2284
2285 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2286
2287         One more buildfix after FTL upstream.
2288
2289         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
2290
2291         * dfg/DFGLazyJSValue.cpp:
2292         (JSC::DFG::LazyJSValue::getValue):
2293         (JSC::DFG::LazyJSValue::strictEqual):
2294
2295 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2296
2297         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
2298         https://bugs.webkit.org/show_bug.cgi?id=119076
2299
2300         Reviewed by Allan Sandfeld Jensen.
2301
2302         * offlineasm/mips.rb:
2303         * offlineasm/sh4.rb:
2304
2305 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2306
2307         Unreviewed GTK build fix.
2308
2309         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
2310
2311 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2312
2313         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
2314         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
2315
2316         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
2317
2318 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2319
2320         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
2321
2322         * GNUmakefile.am:
2323         * GNUmakefile.list.am:
2324
2325 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2326
2327         Unreviewed buildfix after FTL upstream.
2328
2329         * runtime/JSScope.h:
2330         (JSC::needsVarInjectionChecks):
2331
2332 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2333
2334         One more fix after FTL upstream.
2335
2336         * Target.pri:
2337         * bytecode/CodeBlock.h:
2338         * bytecode/GetByIdStatus.h:
2339         (JSC::GetByIdStatus::GetByIdStatus):
2340
2341 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2342
2343         Unreviewed buildfix after FTL upstream.
2344
2345         Add ftl directory as include path.
2346
2347         * CMakeLists.txt:
2348         * JavaScriptCore.pri:
2349
2350 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2351
2352         Unreviewed buildfix after FTL upstream for non C++11 builds.
2353
2354         * interpreter/CallFrame.h:
2355         * interpreter/StackIteratorPrivate.h:
2356         (JSC::StackIterator::end):
2357
2358 2013-07-24  Oliver Hunt  <oliver@apple.com>
2359
2360         Endeavour to fix CMakelist builds
2361
2362         * CMakeLists.txt:
2363
2364 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
2365
2366         fourthTier: DFG IR dumps should be easier to read
2367         https://bugs.webkit.org/show_bug.cgi?id=119050
2368
2369         Reviewed by Mark Hahnenberg.
2370         
2371         Added a DumpContext that includes support for printing an endnote
2372         that describes all structures in full, while the main flow of the
2373         dump just uses made-up names for the structures. This is helpful
2374         since Structure::dump() may print a lot. The stuff it prints is
2375         useful, but if it's all inline with the surrounding thing you're        
2376         dumping (often, a node in the DFG), then you get a ridiculously
2377         long print-out. All classes that dump structures (including
2378         Structure itself) now have dumpInContext() methods that use
2379         inContext() for dumping anything that might transitively print a
2380         structure. If Structure::dumpInContext() is called with a NULL
2381         context, it just uses dump() like before. Hence you don't have to
2382         know anything about DumpContext unless you want to.
2383         
2384         inContext(*structure, context) dumps something like %B4:Array,
2385         and the endnote will have something like:
2386         
2387             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
2388         
2389         where B4 is the inferred name that StringHashDumpContext came up
2390         with.
2391         
2392         Also shortened a bunch of other dumps, removing information that
2393         isn't so important.
2394         
2395         * JavaScriptCore.xcodeproj/project.pbxproj:
2396         * bytecode/ArrayProfile.cpp:
2397         (JSC::dumpArrayModes):
2398         * bytecode/CodeBlockHash.cpp:
2399         (JSC):
2400         (JSC::CodeBlockHash::CodeBlockHash):
2401         (JSC::CodeBlockHash::dump):
2402         * bytecode/CodeOrigin.cpp:
2403         (JSC::CodeOrigin::dumpInContext):
2404         (JSC):
2405         (JSC::InlineCallFrame::dumpInContext):
2406         (JSC::InlineCallFrame::dump):
2407         * bytecode/CodeOrigin.h:
2408         (CodeOrigin):
2409         (InlineCallFrame):
2410         * bytecode/Operands.h:
2411         (JSC::OperandValueTraits::isEmptyForDump):
2412         (Operands):
2413         (JSC::Operands::dump):
2414         (JSC):
2415         * bytecode/OperandsInlines.h: Added.
2416         (JSC):
2417         (JSC::::dumpInContext):
2418         * bytecode/StructureSet.h:
2419         (JSC::StructureSet::dumpInContext):
2420         (JSC::StructureSet::dump):
2421         (StructureSet):
2422         * dfg/DFGAbstractValue.cpp:
2423         (JSC::DFG::AbstractValue::dump):
2424         (DFG):
2425         (JSC::DFG::AbstractValue::dumpInContext):
2426         * dfg/DFGAbstractValue.h:
2427         (JSC::DFG::AbstractValue::operator!):
2428         (AbstractValue):
2429         * dfg/DFGCFAPhase.cpp:
2430         (JSC::DFG::CFAPhase::performBlockCFA):
2431         * dfg/DFGCommon.cpp:
2432         * dfg/DFGCommon.h:
2433         (JSC::DFG::NodePointerTraits::isEmptyForDump):
2434         * dfg/DFGDisassembler.cpp:
2435         (JSC::DFG::Disassembler::createDumpList):
2436         * dfg/DFGDisassembler.h:
2437         (Disassembler):
2438         * dfg/DFGFlushFormat.h:
2439         (WTF::inContext):
2440         (WTF):
2441         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2442         * dfg/DFGGraph.cpp:
2443         (JSC::DFG::Graph::dumpCodeOrigin):
2444         (JSC::DFG::Graph::dump):
2445         (JSC::DFG::Graph::dumpBlockHeader):
2446         * dfg/DFGGraph.h:
2447         (Graph):
2448         * dfg/DFGLazyJSValue.cpp:
2449         (JSC::DFG::LazyJSValue::dumpInContext):
2450         (JSC::DFG::LazyJSValue::dump):
2451         (DFG):
2452         * dfg/DFGLazyJSValue.h:
2453         (LazyJSValue):
2454         * dfg/DFGNode.h:
2455         (JSC::DFG::nodeMapDump):
2456         (WTF::inContext):
2457         (WTF):
2458         * dfg/DFGOSRExitCompiler32_64.cpp:
2459         (JSC::DFG::OSRExitCompiler::compileExit):
2460         * dfg/DFGOSRExitCompiler64.cpp:
2461         (JSC::DFG::OSRExitCompiler::compileExit):
2462         * dfg/DFGStructureAbstractValue.h:
2463         (JSC::DFG::StructureAbstractValue::dumpInContext):
2464         (JSC::DFG::StructureAbstractValue::dump):
2465         (StructureAbstractValue):
2466         * ftl/FTLExitValue.cpp:
2467         (JSC::FTL::ExitValue::dumpInContext):
2468         (JSC::FTL::ExitValue::dump):
2469         (FTL):
2470         * ftl/FTLExitValue.h:
2471         (ExitValue):
2472         * ftl/FTLLowerDFGToLLVM.cpp:
2473         * ftl/FTLValueSource.cpp:
2474         (JSC::FTL::ValueSource::dumpInContext):
2475         (FTL):
2476         * ftl/FTLValueSource.h:
2477         (ValueSource):
2478         * runtime/DumpContext.cpp: Added.
2479         (JSC):
2480         (JSC::DumpContext::DumpContext):
2481         (JSC::DumpContext::~DumpContext):
2482         (JSC::DumpContext::isEmpty):
2483         (JSC::DumpContext::dump):
2484         * runtime/DumpContext.h: Added.
2485         (JSC):
2486         (DumpContext):
2487         * runtime/JSCJSValue.cpp:
2488         (JSC::JSValue::dump):
2489         (JSC):
2490         (JSC::JSValue::dumpInContext):
2491         * runtime/JSCJSValue.h:
2492         (JSC):
2493         (JSValue):
2494         * runtime/Structure.cpp:
2495         (JSC::Structure::dumpInContext):
2496         (JSC):
2497         (JSC::Structure::dumpBrief):
2498         (JSC::Structure::dumpContextHeader):
2499         * runtime/Structure.h:
2500         (JSC):
2501         (Structure):
2502
2503 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
2504
2505         fourthTier: DFG should do a high-level LICM before going to FTL
2506         https://bugs.webkit.org/show_bug.cgi?id=118749
2507
2508         Reviewed by Oliver Hunt.
2509         
2510         Implements LICM hoisting for nodes that never write anything and never read
2511         things that are clobbered by the loop. There are some other preconditions for
2512         hoisting, see DFGLICMPhase.cpp.
2513
2514         Also did a few fixes:
2515         
2516         - ClobberSet::add was failing to switch Super entries to Direct entries in
2517           some cases.
2518         
2519         - DFGClobberize.cpp needed to #include "Operations.h".
2520         
2521         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
2522         
2523         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
2524           Knowing the indexInBlock is an optional optimization that all other clients
2525           of AI still opt into, but LICM doesn't.
2526         
2527         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
2528
2529         * JavaScriptCore.xcodeproj/project.pbxproj:
2530         * dfg/DFGAbstractInterpreter.h:
2531         (AbstractInterpreter):
2532         * dfg/DFGAbstractInterpreterInlines.h:
2533         (JSC::DFG::::executeEffects):
2534         (JSC::DFG::::execute):
2535         (DFG):
2536         (JSC::DFG::::clobberWorld):
2537         (JSC::DFG::::clobberStructures):
2538         * dfg/DFGAtTailAbstractState.cpp: Added.
2539         (DFG):
2540         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2541         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
2542         (JSC::DFG::AtTailAbstractState::createValueForNode):
2543         (JSC::DFG::AtTailAbstractState::forNode):
2544         * dfg/DFGAtTailAbstractState.h: Added.
2545         (DFG):
2546         (AtTailAbstractState):
2547         (JSC::DFG::AtTailAbstractState::initializeTo):
2548         (JSC::DFG::AtTailAbstractState::forNode):
2549         (JSC::DFG::AtTailAbstractState::variables):
2550         (JSC::DFG::AtTailAbstractState::block):
2551         (JSC::DFG::AtTailAbstractState::isValid):
2552         (JSC::DFG::AtTailAbstractState::setDidClobber):
2553         (JSC::DFG::AtTailAbstractState::setIsValid):
2554         (JSC::DFG::AtTailAbstractState::setBranchDirection):
2555         (JSC::DFG::AtTailAbstractState::setFoundConstants):
2556         (JSC::DFG::AtTailAbstractState::haveStructures):
2557         (JSC::DFG::AtTailAbstractState::setHaveStructures):
2558         * dfg/DFGBasicBlock.h:
2559         (JSC::DFG::BasicBlock::insertBeforeLast):
2560         * dfg/DFGBasicBlockInlines.h:
2561         (DFG):
2562         * dfg/DFGClobberSet.cpp:
2563         (JSC::DFG::ClobberSet::add):
2564         (JSC::DFG::ClobberSet::addAll):
2565         * dfg/DFGClobberize.cpp:
2566         (JSC::DFG::doesWrites):
2567         * dfg/DFGClobberize.h:
2568         (DFG):
2569         * dfg/DFGDCEPhase.cpp:
2570         (JSC::DFG::DCEPhase::DCEPhase):
2571         (JSC::DFG::DCEPhase::run):
2572         (JSC::DFG::DCEPhase::fixupBlock):
2573         (DCEPhase):
2574         * dfg/DFGEdgeDominates.h: Added.
2575         (DFG):
2576         (EdgeDominates):
2577         (JSC::DFG::EdgeDominates::EdgeDominates):
2578         (JSC::DFG::EdgeDominates::operator()):
2579         (JSC::DFG::EdgeDominates::result):
2580         (JSC::DFG::edgesDominate):
2581         * dfg/DFGFixupPhase.cpp:
2582         (JSC::DFG::FixupPhase::fixupNode):
2583         (JSC::DFG::FixupPhase::checkArray):
2584         * dfg/DFGLICMPhase.cpp: Added.
2585         (LICMPhase):
2586         (JSC::DFG::LICMPhase::LICMPhase):
2587         (JSC::DFG::LICMPhase::run):
2588         (JSC::DFG::LICMPhase::attemptHoist):
2589         (DFG):
2590         (JSC::DFG::performLICM):
2591         * dfg/DFGLICMPhase.h: Added.
2592         (DFG):
2593         * dfg/DFGPlan.cpp:
2594         (JSC::DFG::Plan::compileInThreadImpl):
2595
2596 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2597
2598         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
2599         https://bugs.webkit.org/show_bug.cgi?id=118910
2600
2601         Reviewed by Sam Weinig.
2602         
2603         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
2604         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
2605         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
2606         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
2607         create them all up front). FTL AbstractHeaps also don't actually give you the
2608         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
2609         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
2610         They also give you aliasing machinery. The DFG AbstractHeaps are represented
2611         internally by a int64_t. Many comparisons between them are just integer comaprisons.
2612         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
2613         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
2614         payload is the direct subtype of its corresponding TOP Kind).
2615         
2616         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
2617         clobbered. It represents the set that results from unifying a bunch of
2618         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
2619         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
2620         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
2621         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
2622         member is equal to it, or if any of its ancestors are equal to a direct member.
2623         
2624         Example #1:
2625         
2626             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
2627               is a subtype of Variables, which is a subtype of World.
2628             - You query Variables. I.e. Variables with a TOP payload, which is the
2629               supertype of Variables(X) for any X, and a subtype of World.
2630             
2631             The set will have Variables(5) as a direct member, and Variables and World as
2632             super members. The Variables query will immediately return true, because
2633             Variables is indeed a super member.
2634         
2635         Example #2:
2636         
2637             - I add Variables(5)
2638             - You query NamedProperties
2639             
2640             NamedProperties is not a member at all (neither direct or super). We next
2641             query World. World is a member, but it's a super member, so we return false.
2642         
2643         Example #3:
2644         
2645             - I add Variables
2646             - You query Variables(5)
2647             
2648             The set will have Variables as a direct member, and World as a super member.
2649             The Variables(5) query will not find Variables(5) in the set, but then it
2650             will query Variables. Variables is a direct member, so we return true.
2651         
2652         Example #4:
2653         
2654             - I add Variables
2655             - You query NamedProperties(5)
2656             
2657             Neither NamedProperties nor NamedProperties(5) are members. We next query
2658             World. World is a member, but it's a super member, so we return false.
2659         
2660         Overlap queries require that either the heap being queried is in the set (either
2661         direct or super), or that one of its ancestors is a direct member. Another way to
2662         think about how this works is that two heaps A and B are said to overlap if
2663         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
2664         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
2665         heaps and answers the question, "is any member in the set an ancestor (i.e.
2666         supertype) of some other heap". We would have the set contain the heaps themselves,
2667         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
2668         chain of A, and repeatedly querying its membership in the set. This is what the
2669         "direct" members of our set do. Now consider the other part, where we want to ask if
2670         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
2671         would implement this by implementing set.add(B) as adding not just B but also all of
2672         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
2673         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
2674         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
2675         heap" question. ClobberSet does this, but combines the two sets into a single
2676         HashMap. The HashMap's value, "direct", means that the key is a member of both the
2677         supertype set and the subtype set; if it's false then it's only a member of one of
2678         them.
2679         
2680         Finally, this adds a functorized clobberize() method that adds the read and write
2681         clobbers of a DFG::Node to read and write functors. Common functors for adding to
2682         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
2683         are also provided. This allows you to say things like:
2684         
2685             ClobberSet set;
2686             addWrites(graph, node1, set);
2687             if (readsOverlap(graph, node2, set))
2688                 // We know that node1 may write to something that node2 may read from.
2689         
2690         Currently this facility is only used to improve graph dumping, but it will be
2691         instrumental in both LICM and GVN. In the future, I want to completely kill the
2692         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
2693         of accomplishing almost exactly what AbstractHeap gives you.
2694
2695         * JavaScriptCore.xcodeproj/project.pbxproj:
2696         * dfg/DFGAbstractHeap.cpp: Added.
2697         (DFG):
2698         (JSC::DFG::AbstractHeap::Payload::dump):
2699         (JSC::DFG::AbstractHeap::dump):
2700         (WTF):
2701         (WTF::printInternal):
2702         * dfg/DFGAbstractHeap.h: Added.
2703         (DFG):
2704         (AbstractHeap):
2705         (Payload):
2706         (JSC::DFG::AbstractHeap::Payload::Payload):
2707         (JSC::DFG::AbstractHeap::Payload::top):
2708         (JSC::DFG::AbstractHeap::Payload::isTop):
2709         (JSC::DFG::AbstractHeap::Payload::value):
2710         (JSC::DFG::AbstractHeap::Payload::valueImpl):
2711         (JSC::DFG::AbstractHeap::Payload::operator==):
2712         (JSC::DFG::AbstractHeap::Payload::operator!=):
2713         (JSC::DFG::AbstractHeap::Payload::operator<):
2714         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
2715         (JSC::DFG::AbstractHeap::Payload::overlaps):
2716         (JSC::DFG::AbstractHeap::AbstractHeap):
2717         (JSC::DFG::AbstractHeap::operator!):
2718         (JSC::DFG::AbstractHeap::kind):
2719         (JSC::DFG::AbstractHeap::payload):
2720         (JSC::DFG::AbstractHeap::isDisjoint):
2721         (JSC::DFG::AbstractHeap::overlaps):
2722         (JSC::DFG::AbstractHeap::supertype):
2723         (JSC::DFG::AbstractHeap::hash):
2724         (JSC::DFG::AbstractHeap::operator==):
2725         (JSC::DFG::AbstractHeap::operator!=):
2726         (JSC::DFG::AbstractHeap::operator<):
2727         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
2728         (JSC::DFG::AbstractHeap::payloadImpl):
2729         (JSC::DFG::AbstractHeap::encode):
2730         (JSC::DFG::AbstractHeapHash::hash):
2731         (JSC::DFG::AbstractHeapHash::equal):
2732         (AbstractHeapHash):
2733         (WTF):
2734         * dfg/DFGClobberSet.cpp: Added.
2735         (DFG):
2736         (JSC::DFG::ClobberSet::ClobberSet):
2737         (JSC::DFG::ClobberSet::~ClobberSet):
2738         (JSC::DFG::ClobberSet::add):
2739         (JSC::DFG::ClobberSet::addAll):
2740         (JSC::DFG::ClobberSet::contains):
2741         (JSC::DFG::ClobberSet::overlaps):
2742         (JSC::DFG::ClobberSet::clear):
2743         (JSC::DFG::ClobberSet::direct):
2744         (JSC::DFG::ClobberSet::super):
2745         (JSC::DFG::ClobberSet::dump):
2746         (JSC::DFG::ClobberSet::setOf):
2747         (JSC::DFG::addReads):
2748         (JSC::DFG::addWrites):
2749         (JSC::DFG::addReadsAndWrites):
2750         (JSC::DFG::readsOverlap):
2751         (JSC::DFG::writesOverlap):
2752         * dfg/DFGClobberSet.h: Added.
2753         (DFG):
2754         (ClobberSet):
2755         (JSC::DFG::ClobberSet::isEmpty):
2756         (ClobberSetAdd):
2757         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
2758         (JSC::DFG::ClobberSetAdd::operator()):
2759         (ClobberSetOverlaps):
2760         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
2761         (JSC::DFG::ClobberSetOverlaps::operator()):
2762         (JSC::DFG::ClobberSetOverlaps::result):
2763         * dfg/DFGClobberize.cpp: Added.
2764         (DFG):
2765         (JSC::DFG::didWrites):
2766         * dfg/DFGClobberize.h: Added.
2767         (DFG):
2768         (JSC::DFG::clobberize):
2769         (NoOpClobberize):
2770         (JSC::DFG::NoOpClobberize::NoOpClobberize):
2771         (JSC::DFG::NoOpClobberize::operator()):
2772         (CheckClobberize):
2773         (JSC::DFG::CheckClobberize::CheckClobberize):
2774         (JSC::DFG::CheckClobberize::operator()):
2775         (JSC::DFG::CheckClobberize::result):
2776         * dfg/DFGGraph.cpp:
2777         (JSC::DFG::Graph::dump):
2778
2779 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2780
2781         fourthTier: It should be easy to figure out which blocks nodes belong to
2782         https://bugs.webkit.org/show_bug.cgi?id=118957
2783
2784         Reviewed by Sam Weinig.
2785
2786         * dfg/DFGGraph.cpp:
2787         (DFG):
2788         (JSC::DFG::Graph::initializeNodeOwners):
2789         * dfg/DFGGraph.h:
2790         (Graph):
2791         * dfg/DFGNode.h:
2792
2793 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2794
2795         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
2796         https://bugs.webkit.org/show_bug.cgi?id=118956
2797
2798         Reviewed by Sam Weinig.
2799         
2800         We had two way of expressing that something exits forward: the NodeExitsForward
2801         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
2802         makes it just be a flag.
2803
2804         * dfg/DFGAbstractInterpreterInlines.h:
2805         (JSC::DFG::::executeEffects):
2806         * dfg/DFGArgumentsSimplificationPhase.cpp:
2807         (JSC::DFG::ArgumentsSimplificationPhase::run):
2808         * dfg/DFGCSEPhase.cpp:
2809         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
2810         (JSC::DFG::CSEPhase::checkStructureElimination):
2811         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2812         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2813         (JSC::DFG::CSEPhase::checkArrayElimination):
2814         (JSC::DFG::CSEPhase::performNodeCSE):
2815         * dfg/DFGConstantFoldingPhase.cpp:
2816         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2817         * dfg/DFGFixupPhase.cpp:
2818         (JSC::DFG::FixupPhase::fixupNode):
2819         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2820         * dfg/DFGMinifiedNode.h:
2821         (JSC::DFG::belongsInMinifiedGraph):
2822         (JSC::DFG::MinifiedNode::hasChild):
2823         * dfg/DFGNode.h:
2824         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
2825         (JSC::DFG::Node::hasStructureSet):
2826         (JSC::DFG::Node::hasStructure):
2827         (JSC::DFG::Node::hasArrayMode):
2828         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2829         * dfg/DFGNodeType.h:
2830         (DFG):
2831         (JSC::DFG::needsOSRForwardRewiring):
2832         * dfg/DFGPredictionPropagationPhase.cpp:
2833         (JSC::DFG::PredictionPropagationPhase::propagate):
2834         * dfg/DFGSafeToExecute.h:
2835         (JSC::DFG::safeToExecute):
2836         * dfg/DFGSpeculativeJIT.cpp:
2837         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2838         * dfg/DFGSpeculativeJIT32_64.cpp:
2839         (JSC::DFG::SpeculativeJIT::compile):
2840         * dfg/DFGSpeculativeJIT64.cpp:
2841         (JSC::DFG::SpeculativeJIT::compile):
2842         * dfg/DFGTypeCheckHoistingPhase.cpp:
2843         (JSC::DFG::TypeCheckHoistingPhase::run):
2844         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2845         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2846         * dfg/DFGVariableEventStream.cpp:
2847         (JSC::DFG::VariableEventStream::reconstruct):
2848         * ftl/FTLCapabilities.cpp:
2849         (JSC::FTL::canCompile):
2850         * ftl/FTLLowerDFGToLLVM.cpp:
2851         (JSC::FTL::LowerDFGToLLVM::compileNode):
2852         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2853
2854 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2855
2856         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
2857         https://bugs.webkit.org/show_bug.cgi?id=118946
2858
2859         Reviewed by Geoffrey Garen.
2860         
2861         We want to decouple the exit target code origin of a node from the code origin
2862         for all other purposes. The purposes of code origins are:
2863         
2864         - Where the node will exit, if it exits. The exit target should be consistent with
2865           the surrounding nodes, in that if you just looked at the code origins of nodes in
2866           the graph, they would be consistent with the code origins in bytecode. This is
2867           necessary for live-at-bytecode analyses to work, and to preserve the original
2868           bytecode semantics when exiting.
2869         
2870         - What kind of code the node came from, for semantics thingies. For example, we
2871           might use the code origin to find the node's global object for doing an original
2872           array check. Or we might use it to determine if the code is in strict mode. Or
2873           other similar things. When we use the code origin in this way, we're basically
2874           using it as a way of describing the node's meta-data without putting it into the
2875           node directly, to save space. In the absurd extreme you could imagine nodes not
2876           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
2877           what bytecode the node originated from. We won't do that, but you can think of
2878           this use of code origins as just a way of compressing meta-data.
2879         
2880         - What code origin we should supply profiling to, if we exit. This is closely
2881           related to the semantics thingies, in that the exit profiling is a persistent
2882           kind of semantic meta-data that survives between recompiles, and the only way to
2883           do that is to ascribe it to the original bytecode via the code origin.
2884         
2885         If we hoist a node, we need to change the exit target code origin, but we must not
2886         change the code origin for other purposes. The best way to do this is to decouple
2887         the two kinds of code origin.
2888         
2889         OSR exit data structures already do this, because they may edit the exit target
2890         code origin while keeping the code origin for profiling intact. This happens for
2891         forward exits. So, we just need to thread separation all the way back to DFG::Node.
2892         That's what this patch does.
2893
2894         * dfg/DFGNode.h:
2895         (JSC::DFG::Node::Node):
2896         (Node):
2897         * dfg/DFGOSRExit.cpp:
2898         (JSC::DFG::OSRExit::OSRExit):
2899         * dfg/DFGOSRExitBase.h:
2900         (JSC::DFG::OSRExitBase::OSRExitBase):
2901         * dfg/DFGSpeculativeJIT.cpp:
2902         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2903         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2904         * dfg/DFGSpeculativeJIT.h:
2905         (SpeculativeJIT):
2906         * ftl/FTLLowerDFGToLLVM.cpp:
2907         (JSC::FTL::LowerDFGToLLVM::compileNode):
2908         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2909         (LowerDFGToLLVM):
2910         * ftl/FTLOSRExit.cpp:
2911         (JSC::FTL::OSRExit::OSRExit):
2912         * ftl/FTLOSRExit.h:
2913         (OSRExit):
2914
2915 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2916
2917         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
2918         https://bugs.webkit.org/show_bug.cgi?id=118866
2919
2920         Reviewed by Sam Weinig.
2921         
2922         Adds a safeToExecute() method that takes a node and an abstract state and tells you
2923         if the node will run without crashing under that state.
2924
2925         * JavaScriptCore.xcodeproj/project.pbxproj:
2926         * bytecode/CodeBlock.cpp:
2927         (JSC::CodeBlock::CodeBlock):
2928         * dfg/DFGCFAPhase.cpp:
2929         (CFAPhase):
2930         (JSC::DFG::CFAPhase::CFAPhase):
2931         (JSC::DFG::CFAPhase::run):
2932         (JSC::DFG::CFAPhase::performBlockCFA):
2933         (JSC::DFG::CFAPhase::performForwardCFA):
2934         * dfg/DFGSafeToExecute.h: Added.
2935         (DFG):
2936         (SafeToExecuteEdge):
2937         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2938         (JSC::DFG::SafeToExecuteEdge::operator()):
2939         (JSC::DFG::SafeToExecuteEdge::result):
2940         (JSC::DFG::safeToExecute):
2941         * dfg/DFGStructureAbstractValue.h:
2942         (JSC::DFG::StructureAbstractValue::isValidOffset):
2943         (StructureAbstractValue):
2944         * runtime/Options.h:
2945         (JSC):
2946
2947 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2948
2949         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
2950         https://bugs.webkit.org/show_bug.cgi?id=118948
2951
2952         Reviewed by Sam Weinig.
2953         
2954         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
2955           This allows doing "what if" experiments with IR generation, even if the generated IR
2956           can't yet execute.
2957         
2958         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
2959           off-ramp.
2960
2961         * JavaScriptCore.xcodeproj/project.pbxproj:
2962         * dfg/DFGPlan.cpp:
2963         (JSC::DFG::Plan::compileInThreadImpl):
2964         * ftl/FTLFail.cpp: Added.
2965         (FTL):
2966         (JSC::FTL::fail):
2967         * ftl/FTLFail.h: Added.
2968         (FTL):
2969         * ftl/FTLIntrinsicRepository.h:
2970         (FTL):
2971         * ftl/FTLLowerDFGToLLVM.cpp:
2972         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2973         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
2974         * runtime/Options.h:
2975         (JSC):
2976
2977 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2978
2979         fourthTier: StringObjectUse uses structures, and CSE should know that
2980         https://bugs.webkit.org/show_bug.cgi?id=118940
2981
2982         Reviewed by Geoffrey Garen.
2983         
2984         This is asymptomatic right now, but we should fix it.
2985
2986         * JavaScriptCore.xcodeproj/project.pbxproj:
2987         * dfg/DFGCSEPhase.cpp:
2988         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2989         * dfg/DFGEdgeUsesStructure.h: Added.
2990         (DFG):
2991         (EdgeUsesStructure):
2992         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
2993         (JSC::DFG::EdgeUsesStructure::operator()):
2994         (JSC::DFG::EdgeUsesStructure::result):
2995         (JSC::DFG::edgesUseStructure):
2996         * dfg/DFGUseKind.h:
2997         (DFG):
2998         (JSC::DFG::usesStructure):
2999
3000 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3001
3002         fourthTier: String GetByVal out-of-bounds handling is so wrong
3003         https://bugs.webkit.org/show_bug.cgi?id=118935
3004
3005         Reviewed by Geoffrey Garen.
3006         
3007         Bunch of String GetByVal out-of-bounds fixes:
3008         
3009         - Even if the string proto chain is sane, we need to watch out for negative
3010           indices. They may get values or call getters in the prototypes, since proto
3011           sanity doesn't check for negative indexed properties, as they are not
3012           technically indexed properties.
3013         
3014         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
3015           given this information.
3016         
3017         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
3018           given this information.
3019         
3020         Also fixed some other things:
3021         
3022         - If the DFG is disabled, the testRunner should pretend that we've done a
3023           bunch of DFG compiles. That's necessary to prevent the tests from timing
3024           out.
3025         
3026         - Disassembler shouldn't try to dump source code since it's not safe in the
3027           concurrent JIT.
3028
3029         * API/JSCTestRunnerUtils.cpp:
3030         (JSC::numberOfDFGCompiles):
3031         * JavaScriptCore.xcodeproj/project.pbxproj:
3032         * dfg/DFGAbstractInterpreterInlines.h:
3033         (JSC::DFG::::executeEffects):
3034         * dfg/DFGDisassembler.cpp:
3035         (JSC::DFG::Disassembler::dumpHeader):
3036         * dfg/DFGGraph.h:
3037         (JSC::DFG::Graph::byValIsPure):
3038         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
3039         (DFG):
3040         (SaneStringGetByValSlowPathGenerator):
3041         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
3042         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
3043         * dfg/DFGSpeculativeJIT.cpp:
3044         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3045
3046 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3047
3048         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
3049         https://bugs.webkit.org/show_bug.cgi?id=118911
3050
3051         Reviewed by Geoffrey Garen.
3052         
3053         We could also have a separate method like "willNotCrash(offset)", but that's not
3054         what isValidOffset() is intended to mean.
3055
3056         * runtime/Structure.h:
3057         (JSC::Structure::isValidOffset):
3058
3059 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3060
3061         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
3062         https://bugs.webkit.org/show_bug.cgi?id=118878
3063
3064         Reviewed by Oliver Hunt.
3065         
3066         - Change Structure::isValidOffset() to actually answer the question "If I attempted
3067           to load from an object of this structure, at this offset, would I commit suicide
3068           or would I get back some kind of value?"
3069         
3070         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3071           way from the start.
3072         
3073         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3074         
3075         - Make GetByOffset also reference the base object in addition to the butterfly.
3076         
3077         The future use of this power will be to answer questions like "If I hoisted this
3078         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3079         fine?"
3080         
3081         I don't currently plan to use this power to perform validation, since the CSE has
3082         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3083         remove - both in the case of StructureSets where size >= 2 and in the case of
3084         CheckStructures that match across PutStructures. At first I tried to write a
3085         validator that was aware of this, but the validation code got way too complicated
3086         and I started having nightmares of spurious assertion bugs being filed against me.
3087         
3088         This also changes some of the code for how we hash FunctionExecutable's for debug
3089         dumps, since that code still had some thread-safety issues. Basically, the
3090         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3091         that could transitively try to compute the hash from the source code. The source
3092         code is a string that may be lazily computed, and that involves all manner of thread
3093         unsafe things.
3094
3095         * bytecode/CodeOrigin.cpp:
3096         (JSC::InlineCallFrame::hash):
3097         * dfg/DFGAbstractInterpreterInlines.h:
3098         (JSC::DFG::::executeEffects):
3099         * dfg/DFGByteCodeParser.cpp:
3100         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3101         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3102         (JSC::DFG::ByteCodeParser::parseBlock):
3103         * dfg/DFGCFAPhase.cpp:
3104         (JSC::DFG::CFAPhase::performBlockCFA):
3105         * dfg/DFGConstantFoldingPhase.cpp:
3106         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3107         * dfg/DFGFixupPhase.cpp:
3108         (JSC::DFG::FixupPhase::fixupNode):
3109         * dfg/DFGGraph.h:
3110         (StorageAccessData):
3111         * dfg/DFGNode.h:
3112         (JSC::DFG::Node::convertToGetByOffset):
3113         * dfg/DFGSpeculativeJIT64.cpp:
3114         (JSC::DFG::SpeculativeJIT::compile):
3115         * ftl/FTLLowerDFGToLLVM.cpp:
3116         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3117         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3118         * runtime/FunctionExecutableDump.cpp:
3119         (JSC::FunctionExecutableDump::dump):
3120         * runtime/Structure.h:
3121         (Structure):
3122         (JSC::Structure::isValidOffset):
3123
3124 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3125
3126         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3127         https://bugs.webkit.org/show_bug.cgi?id=118880
3128
3129         Reviewed by Sam Weinig.
3130         
3131         It should be possible to have an AbstractState that is backed by a HashMap. But to
3132         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3133         the map, since otherwise the idiom of getting a reference to the AbstractValue
3134         returned by forNode() would cause really subtle memory corruption bugs.
3135
3136         * dfg/DFGAbstractInterpreterInlines.h:
3137         (JSC::DFG::::executeEffects):
3138         * dfg/DFGInPlaceAbstractState.h:
3139         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3140         (InPlaceAbstractState):
3141
3142 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3143
3144         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3145         https://bugs.webkit.org/show_bug.cgi?id=118835
3146
3147         Reviewed by Oliver Hunt.
3148         
3149         This separates AbstractState into two things:
3150         
3151         - InPlaceAbstractState, which can tell you the abstract state of anything you
3152           might care about, and uses the old AbstractState's algorithms and data
3153           structures for doing so.
3154         
3155         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
3156           respect to an AbstractStateType. Currently we always use
3157           AbstractStateType = InPlaceAbstractState. But we could drop in an other
3158           class that supports basic primitives like forNode() and variables().
3159         
3160         This is important because:
3161         
3162         - We want to hoist things out of loops.
3163
3164         - We don't know what things rely on what type checks.
3165
3166         - We only want to hoist type checks out of loops if they aren't clobbered.
3167
3168         - We may want to still hoist things that depended on those type checks, if it's
3169           safe to do those things based on the CFA state at the tail of the loop
3170           pre-header.
3171
3172         - We don't want things to rely on their type checks by way of a token, because
3173           that's just weird.
3174
3175         So, we want to be able to have a special form of the CFA that can
3176         incrementally update a basic block's state-at-tail, and we want to be able to
3177         do this for multiple blocks simultaneously. This requires *not* storing the
3178         per-node state in the nodes themselves, but instead using the at-tail HashMap
3179         directly.
3180
3181         Hence we need to have a way of making the abstract interpreter (i.e.
3182         AbstractState::execute) polymorphic with respect to state representation. Put
3183         another way, we need to separate the way that abstract state is represented
3184         from the way DFG IR is abstractly interpreted.
3185
3186         * JavaScriptCore.xcodeproj/project.pbxproj:
3187         * dfg/DFGAbstractInterpreter.h: Added.
3188         (DFG):
3189         (AbstractInterpreter):
3190         (JSC::DFG::AbstractInterpreter::forNode):
3191         (JSC::DFG::AbstractInterpreter::variables):
3192         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
3193         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3194         (JSC::DFG::AbstractInterpreter::filter):
3195         (JSC::DFG::AbstractInterpreter::filterArrayModes):
3196         (JSC::DFG::AbstractInterpreter::filterByValue):
3197         (JSC::DFG::AbstractInterpreter::trySetConstant):
3198         (JSC::DFG::AbstractInterpreter::filterByType):
3199         * dfg/DFGAbstractInterpreterInlines.h: Added.
3200         (DFG):
3201         (JSC::DFG::::AbstractInterpreter):
3202         (JSC::DFG::::~AbstractInterpreter):
3203         (JSC::DFG::::booleanResult):
3204         (JSC::DFG::::startExecuting):
3205         (JSC::DFG::::executeEdges):
3206         (JSC::DFG::::verifyEdge):
3207         (JSC::DFG::::verifyEdges):
3208         (JSC::DFG::::executeEffects):
3209         (JSC::DFG::::execute):
3210         (JSC::DFG::::clobberWorld):
3211         (JSC::DFG::::clobberCapturedVars):
3212         (JSC::DFG::::clobberStructures):
3213         (JSC::DFG::::dump):
3214         (JSC::DFG::::filter):
3215         (JSC::DFG::::filterArrayModes):
3216         (JSC::DFG::::filterByValue):
3217         * dfg/DFGAbstractState.cpp: Removed.
3218         * dfg/DFGAbstractState.h: Removed.
3219         * dfg/DFGArgumentsSimplificationPhase.cpp:
3220         * dfg/DFGCFAPhase.cpp:
3221         (JSC::DFG::CFAPhase::CFAPhase):
3222         (JSC::DFG::CFAPhase::performBlockCFA):
3223         (CFAPhase):
3224         * dfg/DFGCFGSimplificationPhase.cpp:
3225         * dfg/DFGConstantFoldingPhase.cpp:
3226         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3227         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3228         (ConstantFoldingPhase):
3229         * dfg/DFGInPlaceAbstractState.cpp: Added.
3230         (DFG):
3231         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
3232         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
3233         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3234         (JSC::DFG::setLiveValues):
3235         (JSC::DFG::InPlaceAbstractState::initialize):
3236         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3237         (JSC::DFG::InPlaceAbstractState::reset):
3238         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3239         (JSC::DFG::InPlaceAbstractState::merge):
3240         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3241         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
3242         * dfg/DFGInPlaceAbstractState.h: Added.
3243         (DFG):
3244         (InPlaceAbstractState):
3245         (JSC::DFG::InPlaceAbstractState::forNode):
3246         (JSC::DFG::InPlaceAbstractState::variables):
3247         (JSC::DFG::InPlaceAbstractState::block):
3248         (JSC::DFG::InPlaceAbstractState::didClobber):
3249         (JSC::DFG::InPlaceAbstractState::isValid):
3250         (JSC::DFG::InPlaceAbstractState::setDidClobber):
3251         (JSC::DFG::InPlaceAbstractState::setIsValid):
3252         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
3253         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3254         (JSC::DFG::InPlaceAbstractState::haveStructures):
3255         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
3256         * dfg/DFGMergeMode.h: Added.
3257         (DFG):
3258         * dfg/DFGSpeculativeJIT.cpp:
3259         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3260         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
3261         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3262         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3263         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
3264         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3265         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3266         * dfg/DFGSpeculativeJIT.h:
3267         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
3268         (SpeculativeJIT):
3269         * dfg/DFGSpeculativeJIT32_64.cpp:
3270         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3271         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3272         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3273         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3274         * dfg/DFGSpeculativeJIT64.cpp:
3275         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3276         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3277         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3278         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3279         * ftl/FTLLowerDFGToLLVM.cpp:
3280         (FTL):
3281         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3282         (JSC::FTL::LowerDFGToLLVM::compileNode):
3283         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
3284         (JSC::FTL::LowerDFGToLLVM::speculate):
3285         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3286         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3287         (LowerDFGToLLVM):
3288
3289 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3290
3291         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
3292         https://bugs.webkit.org/show_bug.cgi?id=118867
3293
3294         Reviewed by Mark Hahnenberg.
3295         
3296         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
3297         ArrayProfile.
3298
3299         It also makes it easier to ask any array-using node how to create its type check.
3300         
3301         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
3302         an array profile, thinking that it was storing into a value profile. Reshuffling the
3303         fields in ArrayProfile revealed this.
3304
3305         * bytecode/ArrayProfile.cpp:
3306         (JSC::ArrayProfile::computeUpdatedPrediction):
3307         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3308         * bytecode/ArrayProfile.h:
3309         (JSC::ArrayProfile::ArrayProfile):
3310         (ArrayProfile):
3311         * bytecode/CodeBlock.cpp:
3312         (JSC::CodeBlock::updateAllArrayPredictions):
3313         (JSC::CodeBlock::updateAllPredictions):
3314         * bytecode/CodeBlock.h:
3315         (CodeBlock):
3316         (JSC::CodeBlock::updateAllArrayPredictions):
3317         * dfg/DFGArrayMode.h:
3318         (ArrayMode):
3319         * dfg/DFGByteCodeParser.cpp:
3320         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3321         (JSC::DFG::ByteCodeParser::parseBlock):
3322         * dfg/DFGFixupPhase.cpp:
3323         (JSC::DFG::FixupPhase::fixupNode):
3324         (FixupPhase):
3325         (JSC::DFG::FixupPhase::checkArray):
3326         (JSC::DFG::FixupPhase::blessArrayOperation):
3327         * llint/LowLevelInterpreter64.asm:
3328
3329 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3330
3331         fourthTier: CFA should consider live-at-head for clobbering and dumping
3332         https://bugs.webkit.org/show_bug.cgi?id=118857
3333
3334         Reviewed by Mark Hahnenberg.
3335         
3336         - clobberStructures() was not considering nodes live-at-head when in SSA
3337           form. This means it would fail to clobber some structures.
3338         
3339         - dump() was not considering nodes live-at-head when in SSA form. This
3340           means it wouldn't dump everything that you might be interested in.
3341         
3342         - AbstractState::m_currentNode is a useless variable and we should get
3343           rid of it.
3344
3345         * dfg/DFGAbstractState.cpp:
3346         (JSC::DFG::AbstractState::AbstractState):
3347         (JSC::DFG::AbstractState::beginBasicBlock):
3348         (JSC::DFG::AbstractState::reset):
3349         (JSC::DFG::AbstractState::startExecuting):
3350         (JSC::DFG::AbstractState::clobberStructures):
3351         (JSC::DFG::AbstractState::dump):
3352         * dfg/DFGAbstractState.h:
3353         (AbstractState):
3354
3355 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3356
3357         fourthTier: Add a phase to create loop pre-headers
3358         https://bugs.webkit.org/show_bug.cgi?id=118778
3359
3360         Reviewed by Oliver Hunt.
3361         
3362         Add a loop pre-header creation phase. Any loop that doesn't already have
3363         just one predecessor that isn't part of the loop has a pre-header
3364         prepended. All non-loop predecessors then jump to that pre-header.
3365         
3366         Also fix a handful of bugs:
3367         
3368         - DFG::Analysis should set m_valid before running the analysis, since that
3369           makes it easier to use ASSERT(m_valid) in the analysis' methods, which
3370           may be called by the analysis before the analysis completes. NaturalLoops
3371           does this with loopsOf().
3372         
3373         - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
3374           returning 0, since that'll happen if the block isn't in any loop.
3375         
3376         - Change BlockInsertionSet to dethread the graph, since anyone using it
3377           will want to do so.
3378         
3379         - Change dethreading to ignore SSA form graphs.
3380         
3381         This also adds NaturalLoops::belongsTo(), which I always used in the
3382         pre-header creation phase. I didn't end up using it but I'll probably use
3383         it in the near future.
3384         
3385         * JavaScriptCore.xcodeproj/project.pbxproj:
3386         * dfg/DFGAnalysis.h:
3387         (JSC::DFG::Analysis::computeIfNecessary):
3388         * dfg/DFGBlockInsertionSet.cpp:
3389         (JSC::DFG::BlockInsertionSet::execute):
3390         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3391         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3392         * dfg/DFGGraph.cpp:
3393         (JSC::DFG::Graph::dethread):
3394         * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
3395         (DFG):
3396         (LoopPreHeaderCreationPhase):
3397         (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
3398         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3399         (JSC::DFG::performLoopPreHeaderCreation):